IBM SPSS Modeler update to address security vulnerabilities CVE-2021-45105 and CVE-2021-45046
Apache Log4j CVE-2021-44228 vulnerability in IBM SPSS Modeler, IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services
Troubleshooting
Problem
The popular log4j library security issues recently documented affect certain IBM SPSS Modeler, IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services deployments.
CVE-2021-44228 is known to affect log4j 2.0-2.14 that is used by the following products:
IBM SPSS Collaboration and Deployment Services 8.3 (Server, Remote Process Server, Remote Scoring Server, and Deployment Manager)
IBM SPSS Analytic Server 3.2.2 and 3.3
IBM SPSS Modeler 18.3, 18.2.2 (Client, Server, Batch, and Solution Publisher)
IBM SPSS Modeler Premium 18.3, 18.2.2
Patches for this issue are available for all affected components.
CVE-2021-4104 is reported to affect log4j 1.x (some sources state it affects strictly 1.2 while others are reporting 1.x).
Older versions of IBM SPSS Modeler (including Premium components), IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services leverage various versions of log4j 1.x. Patches are being produced to update these products to use log4j 2.16+ resolving this issue.
Resolving The Problem
CVE-2021-44228 is resolved by available patches.
CVE-2021-4104 are still being developed.
Current patches are listed here. Ensure all prerequisite patches are installed first.
IBM SPSS Modeler 18.3.0.0
1. interim fix: 18.3.0.0-IM-S18MODELER-IF007-Win64-LOG4J2-2.17.0 (10.38 MB)
18.3.0.0-IM-S18MODELER-IF007-Win64-LOG4J2-2.17.0
Dec 27, 2021
2. interim fix: 18.3.0.0-IM-S18MODELER-IF007-MacOS64-LOG4J2-2.17.0 (10.17 MB)
18.3.0.0-IM-S18MODELER-IF007-MacOS64-LOG4J2-2.17.0
Dec 27, 2021
3. interim fix: 18.3.0.0-IM-S18MODELER-IF007-zLinux64-LOG4J2-2.17.0 (10.3 MB)
18.3.0.0-IM-S18MODELER-IF007-zLinux64-LOG4J2-2.17.0
Dec 27, 2021
4. interim fix: 18.3.0.0-IM-S18MODELER-Premium-IF007-LOG4J2-2.17.0 (1.94 MB)
18.3.0.0-IM-S18MODELER-Premium-IF007-LOG4J2-2.17.0
Dec 27, 2021
5. interim fix: 18.3.0.0-IM-S18MODELER-IF007-pLinux64-LOG4J2-2.17.0(10.3 MB)
18.3.0.0-IM-S18MODELER-IF007-pLinux64-LOG4J2-2.17.0
Dec 27, 2021
IBM SPSS Modeler 18.2.2.0
1. interim fix: 18.2.2.0-IM-S18MODELER-IF031-Log4j2_2.17.0 (1.93 MB)
18.2.2.0-IM-S18MODELER-IF031-Log4j2_2.17.0
Dec 27, 2021
2. interim fix: 18.2.2.0-IM-S18MODELER-Premium-IF031-LOG4J2-2.17.0 (1.93 MB)
18.2.2.0-IM-S18MODELER-Premium-IF031-LOG4J2-2.17.0
Dec 27, 2021
Apache Log4j CVE-2021-44228 vulnerability in IBM SPSS Modeler, IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services
Troubleshooting
Problem
The popular log4j library security issues recently documented affect certain IBM SPSS Modeler, IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services deployments.
CVE-2021-44228 is known to affect log4j 2.0-2.14 that is used by the following products:
IBM SPSS Collaboration and Deployment Services 8.3 (Server, Remote Process Server, Remote Scoring Server, and Deployment Manager)
IBM SPSS Analytic Server 3.2.2 and 3.3
IBM SPSS Modeler 18.3, 18.2.2 (Client, Server, Batch, and Solution Publisher)
IBM SPSS Modeler Premium 18.3, 18.2.2
Patches for this issue are available for all affected components.
CVE-2021-4104 is reported to affect log4j 1.x (some sources state it affects strictly 1.2 while others are reporting 1.x).
Older versions of IBM SPSS Modeler (including Premium components), IBM SPSS Analytic Server, and IBM SPSS Collaboration and Deployment Services use various versions of log4j 1.x.
Resolving The Problem
CVE-2021-44228 is resolved by available patches.
Current patches are listed here. Ensure all prerequisite patches are installed first.
IBM SPSS Modeler
| Version | |
|---|---|
| 18.3.0 | |
| 18.2.2 |
IBM SPSS Collaboration and Deployment Services
| Version | Link |
|---|---|
| 8.3 | |
| 8.2.2 |
IBM SPSS Analytic Server
| 3.3 | |
| 3.2 |
Cross-reference information
| Product | Component | Platform | Version |
|---|---|---|---|
| IBM SPSS Analytic Server | Analytic Server->Fixes | Platform Independent | 3.2.2, 3.3.0 |
| IBM SPSS Collaboration and Deployment Services | Collaboration and Deployment Services->Known Issues | Platform Independent | 8.3.0 |
| IBM SPSS Modeler | Modeler->Known defects | Platform Independent | 18.3.0 |
Modified date:
03 April 2023
SPSS Statistics 23 korjauspäivitykset
SPSS Statistics 23.0 FixPack 2
Fix Pack 2 Statistics Client versiolle 23.0.0.2 (30.09.2015)
SPSS Statistics 25 korjauspäivitykset
Fix Pack 2 Statistics versiolle 25.0.0.0 ja 25.0.0.1 (15.11.2018)
1. fix pack: 25.0-IM-S25STATC-Mac-FP002 (572.17 MB)
IBM SPSS Statistics Client 25.0 Mac Fix Pack 2
Nov 15, 2018
2. fix pack: 25.0-IM-S25STATC-WIN32-FP002 (536.02 MB)
IBM SPSS Statistics Client 25.0 Win 32 Fix Pack 2
Nov 15, 2018
3. fix pack: 25.0-IM-S25STATC-WIN64-FP002 (559.65 MB)
IBM SPSS Statistics Client 25.0 Win 64 Fix Pack 2
Nov 15, 2018