Which SPSS version(s) does this address?
Which SPSS version(s) does this address?
From what I am seeing in the repo script V25-28
Which SPSS version(s) does this address?
The 4 listed in the security bulletin:
Awesome TY, look like we may need to add 2.16 jar file now
Awesome TY, look like we may need to add 2.16 jar file now
Yeah. I saw a post on Hacker News stating that 2.15 was only a best effort fix. I’ll keep an eye out for IBM’s update so I can update the package.
Yeah. I saw a post on Hacker News stating that 2.15 was only a best effort fix. I’ll keep an eye out for IBM’s update so I can update the package.
@TrentO Looks like IBM released 2.16 versions of jar files. 🙂 or at least for 27 when I checked today in building PC version of this fix.
Thank you!
@TrentO Looks like IBM released 2.16 versions of jar files. 🙂 or at least for 27 when I checked today in building PC version of this fix.
Thank you!
updated the github repo to reflect the new fixes. The new pkg will cleanup the old 2.15 fix as well when its applied.
Maybe I am doing something wrong, but I run the package on a test computer and I still see the "2.13.3" jar files. This is after testing the 2.0 pkg.
Edit: Nevermind... Got it to work!
Happy Holidays!
Maybe I am doing something wrong, but I run the package on a test computer and I still see the "2.13.3" jar files. This is after testing the 2.0 pkg.
Edit: Nevermind... Got it to work!
Happy Holidays!
Did you have to do anything beyond running the .pkg installer? I ask because my scanner reports exactly the same vulnerable files after installing the 2.0 pkg
@TrentO Is it possible that your post-install script is only checking SPSS version 28.0.1 or greater?
I've run ibm_spss_fix_log4j-2.0.pkg on two machines and both report "[spss] is not vulnerable." They're definitely still vulnerable, though. They have SPSS version 28.0.0.0. I see in your post-install script, in the lines that define SPSS_VERSION, 28 is defined as 28.0.1*. Would that prevent my SPSS installs from being scanned properly?
@TrentO Is it possible that your post-install script is only checking SPSS version 28.0.1 or greater?
I've run ibm_spss_fix_log4j-2.0.pkg on two machines and both report "[spss] is not vulnerable." They're definitely still vulnerable, though. They have SPSS version 28.0.0.0. I see in your post-install script, in the lines that define SPSS_VERSION, 28 is defined as 28.0.1*. Would that prevent my SPSS installs from being scanned properly?
Correct. According to IBM the patch only officially applies to versions 25.0, 26.0, 27.0.1, and 28.0.1. Their recommendation for 27.0.0 and 28.0.0 is to update to the latest modified release then apply the patch. It may be fine to replace the jar files in the non-supported versions, but I did not include them since it’s not recommended. If you want to apply the patch to those versions, you can delete the “.1” from each case statement then rebuild the pkg.
Each version has different folders in the app. For instance 28.01 has \\bin\\as-3.3.0.0 but 28.0.0 has \\bin\\as-3.2.3.0, so I had to separate out the versions and add cases and functions for those two different versions
any change that you can add the 2.17.1 fix from IBM
any change that you can add the 2.17.1 fix from IBM
of course. Thanks for the heads up. I must have missed the notification for the 2.17.1 release. Ill update the pkg shortly.
update 2/1/22: Done
Did you have to do anything beyond running the .pkg installer? I ask because my scanner reports exactly the same vulnerable files after installing the 2.0 pkg
I ended up creating a script that removed all de log4j files from the folder(s) in question.
Then with jamf composer, I created an "Update" that would add the updated files to the folders.
Please note that as someone mentioned below, folder names/paths, are different depending on the version.
