Skip to main content

I made a quick pkg installer for the SPSS Statistics log4j fixes since IBM only gave us jar files. Feel free to modify as needed for your environment. The pkg was created using munkipkg, so the source is available on the repo as well.

Full Repo: https://github.com/tcoliver/IBM-SPSS-log4j-fixes
PKG Download: https://github.com/tcoliver/IBM-SPSS-log4j-fixes/blob/main/build/ibm_spss_fix_log4j-3.0.pkg
IBM Security Bulletin: https://www.ibm.com/support/pages/node/6526182


UPDATE 12/21/21:
The pkg has been updated to reflect the new fix release for log4j 2.16 found here: https://www.ibm.com/support/pages/node/6525830

It will now also check for the old fix files (version 2.15) and remove them.


UPDATE 1/3/22:

The pkg has been updated to reflect the new fix release for log4j 2.17 found here: https://www.ibm.com/support/pages/node/6525830

It will now also check for the old fix files (version 2.15 & 2.16) and remove them.


UPDATE 2/1/22:

The pkg has been updated to reflect the new fix release for log4j 2.17.1 found here: https://www.ibm.com/support/pages/node/6525830

It will now also check for the old fix files (version 2.15, 2.16 & 2.17) and remove them.

 

Which SPSS version(s) does this address?


Which SPSS version(s) does this address?


From what I am seeing in the repo script V25-28


Which SPSS version(s) does this address?


The 4 listed in the security bulletin:

  • 28.0.1
  • 27.0.1
  • 26.0
  • 25.0

Awesome TY, look like we may need to add 2.16 jar file now


Awesome TY, look like we may need to add 2.16 jar file now


Yeah. I saw a post on Hacker News stating that 2.15 was only a best effort fix. I’ll keep an eye out for IBM’s update so I can update the package. 


Yeah. I saw a post on Hacker News stating that 2.15 was only a best effort fix. I’ll keep an eye out for IBM’s update so I can update the package. 


@TrentO   Looks like IBM released 2.16 versions of jar files.   🙂  or at least for 27 when I checked today in building PC version of this fix.

Thank you!


@TrentO   Looks like IBM released 2.16 versions of jar files.   🙂  or at least for 27 when I checked today in building PC version of this fix.

Thank you!


updated the github repo to reflect the new fixes. The new pkg will cleanup the old 2.15 fix as well when its applied.


Maybe I am doing something wrong, but I run the package on a test computer and I still see the "2.13.3" jar files. This is after testing the 2.0 pkg.

 

Edit: Nevermind... Got it to work! 

Happy Holidays!

 





Ty @TrentO 


Maybe I am doing something wrong, but I run the package on a test computer and I still see the "2.13.3" jar files. This is after testing the 2.0 pkg.

 

Edit: Nevermind... Got it to work! 

Happy Holidays!

 





Did you have to do anything beyond running the .pkg installer?  I ask because my scanner reports exactly the same vulnerable files after installing the 2.0 pkg


@TrentO Is it possible that your post-install script is only checking SPSS version 28.0.1 or greater? 

 

I've run ibm_spss_fix_log4j-2.0.pkg on two machines and both report "[spss] is not vulnerable."  They're definitely still vulnerable, though.  They have SPSS version 28.0.0.0.  I see in your post-install script, in the lines that define SPSS_VERSION, 28 is defined as 28.0.1*.  Would that prevent my SPSS installs from being scanned properly?


@TrentO Is it possible that your post-install script is only checking SPSS version 28.0.1 or greater? 

 

I've run ibm_spss_fix_log4j-2.0.pkg on two machines and both report "[spss] is not vulnerable."  They're definitely still vulnerable, though.  They have SPSS version 28.0.0.0.  I see in your post-install script, in the lines that define SPSS_VERSION, 28 is defined as 28.0.1*.  Would that prevent my SPSS installs from being scanned properly?


Correct. According to IBM the patch only officially applies to versions 25.0, 26.0, 27.0.1, and 28.0.1. Their recommendation for 27.0.0 and 28.0.0 is to update to the latest modified release then apply the patch. It may be fine to replace the jar files in the non-supported versions, but I did not include them since it’s not recommended. If you want to apply the patch to those versions, you can delete the “.1” from each case statement then rebuild the pkg. 


Each version has different folders in the app. For instance 28.01 has \\bin\\as-3.3.0.0 but 28.0.0 has \\bin\\as-3.2.3.0, so I had to separate out the versions and add cases and functions for those two different versions


any change that you can add the 2.17.1 fix from IBM


any change that you can add the 2.17.1 fix from IBM


of course. Thanks for the heads up. I must have missed the notification for the 2.17.1 release. Ill update the pkg shortly.

update 2/1/22: Done


Did you have to do anything beyond running the .pkg installer?  I ask because my scanner reports exactly the same vulnerable files after installing the 2.0 pkg


I ended up creating a script that removed all de log4j files from the folder(s) in question. 

Then with jamf composer, I created an "Update" that would add the updated files to the folders. 

Please note that as someone mentioned below, folder names/paths, are different depending on the version. 


Reply