12-17-2021 05:42 AM - edited 02-01-2022 10:31 AM
I made a quick pkg installer for the SPSS Statistics log4j fixes since IBM only gave us jar files. Feel free to modify as needed for your environment. The pkg was created using munkipkg, so the source is available on the repo as well.
Full Repo: https://github.com/tcoliver/IBM-SPSS-log4j-fixes
PKG Download: https://github.com/tcoliver/IBM-SPSS-log4j-fixes/blob/main/build/ibm_spss_fix_log4j-3.0.pkg
IBM Security Bulletin: https://www.ibm.com/support/pages/node/6526182
The pkg has been updated to reflect the new fix release for log4j 2.16 found here: https://www.ibm.com/support/pages/node/6525830
It will now also check for the old fix files (version 2.15) and remove them.
The pkg has been updated to reflect the new fix release for log4j 2.17 found here: https://www.ibm.com/support/pages/node/6525830
It will now also check for the old fix files (version 2.15 & 2.16) and remove them.
The pkg has been updated to reflect the new fix release for log4j 2.17.1 found here: https://www.ibm.com/support/pages/node/6525830
It will now also check for the old fix files (version 2.15, 2.16 & 2.17) and remove them.
Posted on 12-17-2021 07:37 AM
Which SPSS version(s) does this address?
Posted on 12-17-2021 07:40 AM
From what I am seeing in the repo script V25-28
Posted on 12-17-2021 07:43 AM
The 4 listed in the security bulletin:
Posted on 12-17-2021 01:44 PM
Awesome TY, look like we may need to add 2.16 jar file now
Posted on 12-17-2021 02:06 PM
Yeah. I saw a post on Hacker News stating that 2.15 was only a best effort fix. I’ll keep an eye out for IBM’s update so I can update the package.
Posted on 12-20-2021 02:06 PM
@TrentO Looks like IBM released 2.16 versions of jar files. 🙂 or at least for 27 when I checked today in building PC version of this fix.
Posted on 12-21-2021 09:36 AM
updated the github repo to reflect the new fixes. The new pkg will cleanup the old 2.15 fix as well when its applied.
12-22-2021 12:27 PM - edited 12-22-2021 04:31 PM
Maybe I am doing something wrong, but I run the package on a test computer and I still see the "2.13.3" jar files. This is after testing the 2.0 pkg.
Edit: Nevermind... Got it to work!
Posted on 12-23-2021 09:45 AM
Did you have to do anything beyond running the .pkg installer? I ask because my scanner reports exactly the same vulnerable files after installing the 2.0 pkg
Posted on 02-01-2022 09:39 AM
I ended up creating a script that removed all de log4j files from the folder(s) in question.
Then with jamf composer, I created an "Update" that would add the updated files to the folders.
Please note that as someone mentioned below, folder names/paths, are different depending on the version.
Posted on 12-23-2021 05:59 AM
Posted on 12-23-2021 10:24 AM
@TrentO Is it possible that your post-install script is only checking SPSS version 28.0.1 or greater?
I've run ibm_spss_fix_log4j-2.0.pkg on two machines and both report "[spss] is not vulnerable." They're definitely still vulnerable, though. They have SPSS version 126.96.36.199. I see in your post-install script, in the lines that define SPSS_VERSION, 28 is defined as 28.0.1*. Would that prevent my SPSS installs from being scanned properly?
Posted on 12-23-2021 10:35 AM
Correct. According to IBM the patch only officially applies to versions 25.0, 26.0, 27.0.1, and 28.0.1. Their recommendation for 27.0.0 and 28.0.0 is to update to the latest modified release then apply the patch. It may be fine to replace the jar files in the non-supported versions, but I did not include them since it’s not recommended. If you want to apply the patch to those versions, you can delete the “.1” from each case statement then rebuild the pkg.
Posted on 01-19-2022 02:58 PM
Each version has different folders in the app. For instance 28.01 has \bin\as-188.8.131.52 but 28.0.0 has \bin\as-184.108.40.206, so I had to separate out the versions and add cases and functions for those two different versions
Posted on 01-31-2022 08:15 AM
any change that you can add the 2.17.1 fix from IBM
02-01-2022 09:31 AM - edited 02-01-2022 10:33 AM
of course. Thanks for the heads up. I must have missed the notification for the 2.17.1 release. Ill update the pkg shortly.
update 2/1/22: Done