Security Bulletin: A Denial of Service Vulnerability in Zlib affects IBM SPSS Statistics (CVE-2018-25032)

Security Bulletin

 

Summary

There is a vulnerability in the Zlib version used by IBM SPSS Statistics. IBM SPSS Statistics has addressed the vulnerability.

Vulnerability Details

CVEID:   CVE-2018-25032
DESCRIPTION:   Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By using many distant matches, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
SPSS Statistics 29.0

Remediation/Fixes

Affected Product(s) Version(s)  
SPSS Statistics 29.0 Install Statistics 29.0.1.0

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

24 Apr 2023: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

IBM SPSS Modeler Interim Fix Update to address Log4J Vulnerability (CVE-2021-45105 and CVE-2021-45046)

Download

 

Abstract

IBM SPSS Modeler update to address security vulnerabilities CVE-2021-45105 and CVE-2021-45046

Download Description

Please refer to the Security Bulletin for more information.

Prerequisites

This interim fix can only be installed over existing installations of IBM SPSS Modeler 18.3/18.2.2

 

IBM SPSS Modeler Client 18.3/18.2.2,
IBM SPSS Modeler Server 18.3/18.2.2,
IBM SPSS Modeler Batch 18.3/18.2.2,

IBM SPSS Modeler Solution Publisher 18.3/18.2.2

Installation Instructions

---------------------------------------
BY DOWNLOADING, INSTALLING, COPYING, ACCESSING, OR OTHERWISE USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THE SPSS LICENSE AGREEMENT UNDER WHICH YOU ACQUIRED IBM SPSS Modeler.
BY AGREEING, YOU REPRESENT AND WARRANT THAT YOU HAVE FULL AUTHORITY TO ACCEPT THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS,
- DO NOT DOWNLOAD, INSTALL, COPY, ACCESS, OR USE THE SOFTWARE; AND
- PROMPTLY RETURN THE UNUSED MEDIA AND DOCUMENTATION TO THE PARTY FROM WHOM IT WAS OBTAINED. IF THE SOFTWARE WAS DOWNLOADED, DESTROY ALL COPIES OF THE SOFTWARE.

 

Please refer to the installation text file in downloaded packages for details information.

Bugs Fixed:
--------------------

PSIRT:  Log4J2 Vulnerability affects IBM SPSS Modeler (CVE-2021-45105 and CVE-2021-45046)

 

Affected Products:

--------------------

 

IBM SPSS Modeler Client 18.3/18.2.2,
IBM SPSS Modeler Server 18.3/18.2.2,
IBM SPSS Modeler Batch 18.3/18.2.2,

IBM SPSS Modeler Solution Publisher 18.3/18.2.2

Download Package

Problems Solved

interim fix: 18.3.0.0-IM-S18MODELER-Premium-IF022-LOG4J2-2.17.1 

2023/01/04

interim fix: 18.3.0.0-IM-S18MODELER-IF022-zLinux64-LOG4J2-2.17.1 

2023/01/04

interim fix: 18.3.0.0-IM-S18MODELER-IF022-Win64-LOG4J2-2.17.1 

2023/01/04

interim fix: 18.3.0.0-IM-S18MODELER-IF022-pLinux64-LOG4J2-2.17.1 

2023/01/04

interim fix: 18.3.0.0-IM-S18MODELER-IF022-MacOS64-LOG4J2-2.17.1 

2023/01/04

interim fix: 18.3.0.0-IM-S18MODELER-IF022-Linux64-LOG4J2-2.17.1 

2023/01/04

interim fix: 18.3.0.0-IM-S18MODELER-Adapter-IF022-LOG4J2-2.17.1 

2023/01/04

 

 

 

1. interim fix: 18.3.0.0-IM-S18MODELER-Win64-IF006-LOG4J2 (10.38 MB)
Dec 14, 2021

2. interim fix: 18.3.0.0-IM-S18MODELER-MacOS64-IF006-LOG4J2 (10.17 MB)
18.3.0.0-IM-S18MODELER-MacOS64-IF006-LOG4J2
Dec 14, 2021

3. interim fix: 18.3.0.0-IM-S18MODELER-IF006-zLinux64-LOG4J2 (10.3 MB)
18.3.0.0-IM-S18MODELER-IF006-zLinux64-LOG4J2
Dec 14, 2021

4. interim fix: 18.3.0.0-IM-S18MODELER-Premium-IF006-LOG4J2 (1.94 MB)
18.3.0.0-IM-S18MODELER-Premium-IF006-LOG4J2
Dec 14, 2021

5. interim fix: 18.3.0.0-IM-S18MODELER-IF006-pLinux64-LOG4J2 (10.3 MB)
18.3.0.0-IM-S18MODELER-IF006-pLinux64-LOG4J2
Dec 14, 2021

 

 

 

IBM SPSS Modeler Interim Fix Update for Upgrading log4j1 in Modeler 18.2.2, Modeler 18.2.1 Fix Pack 1,Modeler 18.2, Modeler 18.1.1 and Modeler 18.1

Download

 Abstract

IBM SPSS Modeler update for upgrading log4j 1.x to log4j 2.x

Download Description

The log4j 1.x is out of service. If the log4j 1.x has a security issue, the recommendation is to upgrade to log4j 2.x.

Prerequisites

This interim fix can only be installed over existing installations of IBM SPSS Modeler 18.2.2/18.2.1 Fix Pack 1/18.2/18.1.1/18.1

 

IBM SPSS Modeler Client 18.2.2/18.2.1 Fix Pack 1/18.2/18.1.1/18.1,
IBM SPSS Modeler Server 18.2.2/18.2.1 Fix Pack 1/18.2/18.1.1/18.1,
IBM SPSS Modeler Batch 18.2.2/18.2.1 Fix Pack 1/18.2/18.1.1/18.1,

IBM SPSS Modeler Solution Publisher 18.2.2/18.2.1 Fix Pack 1/18.2/18.1.1/18.1

IBM SPSS Modeler Adapter 18.2.2/18.2.1 Fix Pack 1/18.2/18.1.1/18.1,

Installation Instructions

---------------------------------------
BY DOWNLOADING, INSTALLING, COPYING, ACCESSING, OR OTHERWISE USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THE SPSS LICENSE AGREEMENT UNDER WHICH YOU ACQUIRED IBM SPSS Modeler.
BY AGREEING, YOU REPRESENT AND WARRANT THAT YOU HAVE FULL AUTHORITY TO ACCEPT THESE TERMS. IF YOU DO NOT AGREE TO THESE TERMS,
- DO NOT DOWNLOAD, INSTALL, COPY, ACCESS, OR USE THE SOFTWARE; AND
- PROMPTLY RETURN THE UNUSED MEDIA AND DOCUMENTATION TO THE PARTY FROM WHOM IT WAS OBTAINED. IF THE SOFTWARE WAS DOWNLOADED, DESTROY ALL COPIES OF THE SOFTWARE.

 

Please refer to the installation text file in downloaded packages for details information.

Bugs Fixed:
--------------------

Log4j 1.x upgrade to log4j 2.x

 

Affected Products:

--------------------

 

IBM SPSS Modeler Client 18.2.2/18.2.1 Fix Pack 1/18.2/18.1.1/18.1,
IBM SPSS Modeler Server 18.2.2/18.2.1 Fix Pack 1/18.2/18.1.1/18.1,
IBM SPSS Modeler Batch 18.2.2/18.2.1 Fix Pack 1/18.2/18.1.1/18.1,

IBM SPSS Modeler Solution Publisher 18.2.2/18.2.1 Fix Pack 1/18.2/18.1.1/18.1,

Download Package

Problems Solved

Log4j 1.x upgrade to log4j 2.x

 

interim fix: 18.2.2.0-IM-S18MODELER-Adapter-IF033-LOG4J2-2.17.1 (2.12 MB)

18.2.2.0-IM-S18MODELER-Adapter-IF033-LOG4J2-2.17.1

Jul 3, 2022

 

interim fix: 18.2.2.0-IM-S18MODELER-IF033-Linux64-Log4j2-2.17.1 (8.36 MB)

18.2.2.0-IM-S18MODELER-IF033-Linux64-Log4j2-2.17.1

Mar 18, 2022

 

interim fix: 18.2.2.0-IM-S18MODELER-IF033-Mac-Log4j2-2.17.1 (7.79 MB)

18.2.2.0-IM-S18MODELER-IF033-Mac-Log4j2-2.17.1

Mar 18, 2022

 

interim fix: 18.2.2.0-IM-S18MODELER-IF033-pLinux64-Log4j2-2.17.1 (8.36 MB)

18.2.2.0-IM-S18MODELER-IF033-pLinux64-Log4j2-2.17.1

Mar 18, 2022

 

interim fix: 18.2.2.0-IM-S18MODELER-IF033-Win64-Log4j2-2.17.1 (8.46 MB)

18.2.2.0-IM-S18MODELER-IF033-Win64-Log4j2-2.17.1

Mar 18, 2022

 

interim fix: 18.2.2.0-IM-S18MODELER-IF033-zLinux64-Log4j2-2.17.1 (8.36 MB)

18.2.2.0-IM-S18MODELER-IF033-zLinux64-Log4j2-2.17.1

Mar 18, 2022

 

interim fix: 18.2.2.0-IM-S18MODELER-Premium-IF033-LOG4J2-2.17.1 (1.93 MB)

18.2.2.0-IM-S18MODELER-Premium-IF033-LOG4J2-2.17.1

Mar 18, 2022

 

IBM SPSS Modeler 18.2.2.0

1. interim fix: 18.2.2.0-IM-S18MODELER-IF030-Log4j2 (1.93 MB)
18.2.2.0-IM-S18MODELER-IF030-Log4j2
Dec 14, 2021


2. interim fix: 18.2.2.0-IM-S18MODELER-Premium-IF030-LOG4J2 (1.93 MB)
18.2.2.0-IM-S18MODELER-Premium-IF030-LOG4J2
Dec 14, 2021

 

 

SPSS Modeler 16.0 Fix Pack 2

Downloadable files


Abstract

This Fix Pack will upgrade your IBM SPSS Modeler 16.0 installation to IBM SPSS Modeler 16.0 FP2 (16.0.0.2). It applies to IBM SPSS Modeler Professional and IBM SPSS Modeler Premium

Download Description

This Fix Pack provides important product corrections for IBM SPSS Modeler 16.0.

Fix Pack packages are available for IBM SPSS Modeler Professional components from the download table below. Fix Pack packages for the IBM SPSS Modeler Premium add-ons -- Text Analytics (TA), Entity Analytics (EA), and Social Network Analysis (SNA) -- can be obtained fromSPSS Modeler 16.0 Fix Pack 2 - Premium Add-ons.

If you have IBM SPSS Analytic Server installed, you must update to its Fix Pack 1 version or it will not work with Modeler 16.0 Fix Pack 2.

Issues corrected: Fix List

For release notes, refer to the SPSS Modeler 16.0 Fix Pack 2 Release Notes.A guide to the installation order for IBM SPSS Modeler products is also available.

Prerequisites

There are separate Fix Packs for client and server (which must be installed over an existing installation of IBM SPSS Modeler 16.0), and also for C&DS Adapters, Modeler Server Administrative Console, and Scoring Adapters.

NOTE: If you are applying a Fix Pack to any part of the Modeler distribution (Batch, Server, Client, Collaboration and Deployment Services (C&DS) adapters, Social Network Analysis (SNA), Entity Analytics (EA), Text Analytics (TA), or Modeler Scoring Adapter), ensure you install the equivalent Fix Pack to all parts of the Modeler distribution you have installed if there is a Fix Pack available. In addition, if applying the Modeler 16.0 Fix Pack 2 adapter to C&DS, first apply the required C&DS Fix Pack. These are detailed in the Modeler Adapter installation instructions below.

Note that the Modeler Adapter Fix Packs on this page apply to both Modeler Professional and Modeler Premium (there are no separate Modeler Adapter Fix Packs specific to Premium).

IBM Collaboration and Deployment Services Fix Packs are available at C&DS 6 Fix Pack 2 or C&DS 5 Fix Pack 3, depending on your version.

There is no separate Fix Pack installation for Entity Analytics Unleashed (EAU). Customers using EAU should install the Fix Packs for Modeler and EA.


WARNING: If you are using Internet Explorer to download the UNIX or Linux Fix Packs, using the HTTP download method, do not left-click the package on the Fix Central page that displays the package for download. This will cause your browser to freeze. Instead, right-click the package and select Save target as to download it.

 

16.0-IM-S16MODELERClient-WIN64-FP002.zip

16.0-IM-S16MODELERServer-WIN64-FP002.zip

16.0-IM-S16MODELERClient-WIN32-FP002.zip

Sivu 3 / 8