Log4Shell Vulnerability affects IBM SPSS Statistics (CVE-2021-44228)

Apache Log4j CVE-2021-44228 vulnerability in IBM SPSS Statistics News Abstract IBM is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam)

News

Abstract

IBM is actively responding to the reported remote code execution vulnerability in the Apache Log4j 2 Java library dubbed Log4Shell (or LogJam).

The IBM SPSS Statistics Development team has produced Interim Fixes for our currently supported versions, updating the Log4j .jar files to version 2.16.0. This version resolves both CVE-2021-44228 and CVE-2021-45046 vulnerabilities.

NOTE: These fixes have been updated to include Log4j version 2.16.0 to resolve both CVE-2021-44228 and CVE-2021-45046.
If you have downloaded fixes from this note prior to 17 December 2021, please download and apply these new, updated fixes.

Content

For more details about this specific vulnerability

For information about IBM SPSS Modeler

 

  • IBM SPSS AmosIBM SPSS Data Access Pack and the IBM SPSS Concurrent License Manager and Tools products are not affected by this issue.
  • An Interim Fix now exists for each of the currently supported releases of IBM SPSS Statistics. Supported versions are release 25.0 and later.  If you have deployed IBM SPSS Statistics 24.0 or earlier, these versions are End of Service and are no longer supported.  Please upgrade to a supported release.
  • Update your version of IBM SPSS Statistics to the latest Fixpack (or Modified Release).

For example, if you have SPSS Statistics 27.0 deployed, update it to Statistics 27.0.1 before applying the associated interim fix.

If you do not know your current release and Fixpack level, see:

https://www-01.ibm.com/support/docview.wss?uid=swg21989276

Fixpacks and Modified Releases:

IBM SPSS Statistics 28.0 Modified Release 1

IBM SPSS Statistics 27.0 Modified Release 1

IBM SPSS Statistics 26.0 Fixpack 1

IBM SPSS Statistics 25.0 Fixpack 2

 

 

Interim Fixes

IBM SPSS Statistics 28.0.1.0, IF 009:  IF 28.0.1.0-9
IBM SPSS Statistics 27.0.1.0, IF 023:  IF 27.0.1.0-23
IBM SPSS Statistics 26.0.0.1 (Windows) or 26.0.0.2 (macOS), IF 017:  IF 26.0.1-017
IBM SPSS Statistics 25.0.0.2, IF 017: IF 25.0.0.2-17

IBM SPSS Modeler update to address security vulnerabilities CVE-2021-45105 and CVE-2021-45046

Apache Log4j CVE-2021-44228 vulnerability in IBM SPSS Modeler, IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services

Troubleshooting

 Problem

The popular log4j library security issues recently documented affect certain IBM SPSS Modeler, IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services deployments.  

 

CVE-2021-44228 is known to affect log4j 2.0-2.14 that is used by the following products:

 

IBM SPSS Collaboration and Deployment Services 8.3 (Server, Remote Process Server, Remote Scoring Server, and Deployment Manager)

IBM SPSS Analytic Server 3.2.2 and 3.3

IBM SPSS Modeler 18.3, 18.2.2 (Client, Server, Batch, and Solution Publisher)

IBM SPSS Modeler Premium 18.3, 18.2.2

 

Patches for this issue are available for all affected components.

 

CVE-2021-4104 is reported to affect log4j 1.x (some sources state it affects strictly 1.2 while others are reporting 1.x).

Older versions of IBM SPSS Modeler (including Premium components), IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services leverage various versions of log4j 1.x.  Patches are being produced to update these products to use log4j 2.16+ resolving this issue.  

Resolving The Problem

CVE-2021-44228 is resolved by available patches.

CVE-2021-4104 are still being developed.  

 

Current patches are listed here.  Ensure all prerequisite patches are installed first.

 

IBM SPSS Modeler 18.3.0.0

1. interim fix: 18.3.0.0-IM-S18MODELER-IF007-Win64-LOG4J2-2.17.0 (10.38 MB)
18.3.0.0-IM-S18MODELER-IF007-Win64-LOG4J2-2.17.0
Dec 27, 2021

2. interim fix: 18.3.0.0-IM-S18MODELER-IF007-MacOS64-LOG4J2-2.17.0 (10.17 MB)
18.3.0.0-IM-S18MODELER-IF007-MacOS64-LOG4J2-2.17.0
Dec 27, 2021

3. interim fix: 18.3.0.0-IM-S18MODELER-IF007-zLinux64-LOG4J2-2.17.0 (10.3 MB)
18.3.0.0-IM-S18MODELER-IF007-zLinux64-LOG4J2-2.17.0
Dec 27, 2021

4. interim fix: 18.3.0.0-IM-S18MODELER-Premium-IF007-LOG4J2-2.17.0 (1.94 MB)
18.3.0.0-IM-S18MODELER-Premium-IF007-LOG4J2-2.17.0
Dec 27, 2021

5. interim fix: 18.3.0.0-IM-S18MODELER-IF007-pLinux64-LOG4J2-2.17.0(10.3 MB)
18.3.0.0-IM-S18MODELER-IF007-pLinux64-LOG4J2-2.17.0
Dec 27, 2021

 

IBM SPSS Modeler 18.2.2.0

1. interim fix: 18.2.2.0-IM-S18MODELER-IF031-Log4j2_2.17.0 (1.93 MB)
18.2.2.0-IM-S18MODELER-IF031-Log4j2_2.17.0
Dec 27, 2021


2. interim fix: 18.2.2.0-IM-S18MODELER-Premium-IF031-LOG4J2-2.17.0 (1.93 MB)
18.2.2.0-IM-S18MODELER-Premium-IF031-LOG4J2-2.17.0
Dec 27, 2021

 

 



Apache Log4j CVE-2021-44228 vulnerability in IBM SPSS Modeler, IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services

Troubleshooting

Problem

The popular log4j library security issues recently documented affect certain IBM SPSS Modeler, IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services deployments.  

 

CVE-2021-44228 is known to affect log4j 2.0-2.14 that is used by the following products:

 

IBM SPSS Collaboration and Deployment Services 8.3 (Server, Remote Process Server, Remote Scoring Server, and Deployment Manager)

IBM SPSS Analytic Server 3.2.2 and 3.3

IBM SPSS Modeler 18.3, 18.2.2 (Client, Server, Batch, and Solution Publisher)

IBM SPSS Modeler Premium 18.3, 18.2.2

 

Patches for this issue are available for all affected components.

 

CVE-2021-4104 is reported to affect log4j 1.x (some sources state it affects strictly 1.2 while others are reporting 1.x).

Older versions of IBM SPSS Modeler (including Premium components), IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services use various versions of log4j 1.x.  

Resolving The Problem

CVE-2021-44228 is resolved by available patches.

Current patches are listed here.  Ensure all prerequisite patches are installed first.

 

IBM SPSS Modeler 

Version 
18.3.0  
18.2.2  



IBM SPSS Collaboration and Deployment Services

VersionLink
8.3  
8.2.2

 

IBM SPSS Analytic Server 

3.3
3.2  

Cross-reference information

ProductComponentPlatformVersion
IBM SPSS Analytic Server Analytic Server->Fixes Platform Independent 3.2.2, 3.3.0
IBM SPSS Collaboration and Deployment Services Collaboration and Deployment Services->Known Issues Platform Independent 8.3.0
IBM SPSS Modeler Modeler->Known defects Platform Independent 18.3.0

Modified date:
03 April 2023

 

SPSS Statistics 25 korjauspäivitykset

 

 

Fix Pack 2 Statistics versiolle 25.0.0.0 ja 25.0.0.1 (15.11.2018)

 

1. fix pack: 25.0-IM-S25STATC-Mac-FP002 (572.17 MB)
IBM SPSS Statistics Client 25.0 Mac Fix Pack 2
Nov 15, 2018

2. fix pack: 25.0-IM-S25STATC-WIN32-FP002 (536.02 MB)
IBM SPSS Statistics Client 25.0 Win 32 Fix Pack 2
Nov 15, 2018

3. fix pack: 25.0-IM-S25STATC-WIN64-FP002 (559.65 MB)
IBM SPSS Statistics Client 25.0 Win 64 Fix Pack 2
Nov 15, 2018

Sivu 6 / 8