Log4j Fixes for IBM SPSS Statistics

Which SPSS version(s) does this address?

From what I am seeing in the repo script V25-28

The 4 listed in the security bulletin:

• 28.0.1
• 27.0.1
• 26.0
• 25.0

Awesome TY, look like we may need to add 2.16 jar file now

Yeah. I saw a post on Hacker News stating that 2.15 was only a best effort fix. I’ll keep an eye out for IBM’s update so I can update the package. 

@TrentO   Looks like IBM released 2.16 versions of jar files.   🙂  or at least for 27 when I checked today in building PC version of this fix.

Thank you!

updated the github repo to reflect the new fixes. The new pkg will cleanup the old 2.15 fix as well when its applied.

Maybe I am doing something wrong, but I run the package on a test computer and I still see the "2.13.3" jar files. This is after testing the 2.0 pkg.

Edit: Nevermind... Got it to work! 

Happy Holidays!

Ty @TrentO 

Did you have to do anything beyond running the .pkg installer?  I ask because my scanner reports exactly the same vulnerable files after installing the 2.0 pkg

@TrentO Is it possible that your post-install script is only checking SPSS version 28.0.1 or greater? 

I've run ibm_spss_fix_log4j-2.0.pkg on two machines and both report "[spss] is not vulnerable."  They're definitely still vulnerable, though.  They have SPSS version 28.0.0.0.  I see in your post-install script, in the lines that define SPSS_VERSION, 28 is defined as 28.0.1*.  Would that prevent my SPSS installs from being scanned properly?

Correct. According to IBM the patch only officially applies to versions 25.0, 26.0, 27.0.1, and 28.0.1. Their recommendation for 27.0.0 and 28.0.0 is to update to the latest modified release then apply the patch. It may be fine to replace the jar files in the non-supported versions, but I did not include them since it’s not recommended. If you want to apply the patch to those versions, you can delete the “.1” from each case statement then rebuild the pkg. 

Each version has different folders in the app. For instance 28.01 has \\bin\\as-3.3.0.0 but 28.0.0 has \\bin\\as-3.2.3.0, so I had to separate out the versions and add cases and functions for those two different versions

any change that you can add the 2.17.1 fix from IBM

of course. Thanks for the heads up. I must have missed the notification for the 2.17.1 release. Ill update the pkg shortly.

update 2/1/22: Done

I ended up creating a script that removed all de log4j files from the folder(s) in question. 

Then with jamf composer, I created an "Update" that would add the updated files to the folders. 

Please note that as someone mentioned below, folder names/paths, are different depending on the version.