Log4j Fixes for IBM SPSS Statistics

TrentO
Contributor II

I made a quick pkg installer for the SPSS Statistics log4j fixes since IBM only gave us jar files. Feel free to modify as needed for your environment. The pkg was created using munkipkg, so the source is available on the repo as well.

Full Repo: https://github.com/tcoliver/IBM-SPSS-log4j-fixes
PKG Download: https://github.com/tcoliver/IBM-SPSS-log4j-fixes/blob/main/build/ibm_spss_fix_log4j-3.0.pkg
IBM Security Bulletin: https://www.ibm.com/support/pages/node/6526182


UPDATE 12/21/21:
The pkg has been updated to reflect the new fix release for log4j 2.16 found here: https://www.ibm.com/support/pages/node/6525830

It will now also check for the old fix files (version 2.15) and remove them.


UPDATE 1/3/22:

The pkg has been updated to reflect the new fix release for log4j 2.17 found here: https://www.ibm.com/support/pages/node/6525830

It will now also check for the old fix files (version 2.15 & 2.16) and remove them.


UPDATE 2/1/22:

The pkg has been updated to reflect the new fix release for log4j 2.17.1 found here: https://www.ibm.com/support/pages/node/6525830

It will now also check for the old fix files (version 2.15, 2.16 & 2.17) and remove them.

 

16 REPLIES 16

deramirez
New Contributor III

Which SPSS version(s) does this address?

cvangorp
New Contributor III

From what I am seeing in the repo script V25-28

The 4 listed in the security bulletin:

  • 28.0.1
  • 27.0.1
  • 26.0
  • 25.0

efil4xiN
Contributor II

Awesome TY, look like we may need to add 2.16 jar file now

Yeah. I saw a post on Hacker News stating that 2.15 was only a best effort fix. I’ll keep an eye out for IBM’s update so I can update the package. 

cvangorp
New Contributor III

@TrentO   Looks like IBM released 2.16 versions of jar files.   🙂  or at least for 27 when I checked today in building PC version of this fix.

Thank you!

updated the github repo to reflect the new fixes. The new pkg will cleanup the old 2.15 fix as well when its applied.

deramirez
New Contributor III

Maybe I am doing something wrong, but I run the package on a test computer and I still see the "2.13.3" jar files. This is after testing the 2.0 pkg.

 

Edit: Nevermind... Got it to work! 

Happy Holidays!

 




jclements
New Contributor III

Did you have to do anything beyond running the .pkg installer?  I ask because my scanner reports exactly the same vulnerable files after installing the 2.0 pkg

deramirez
New Contributor III

I ended up creating a script that removed all de log4j files from the folder(s) in question. 

Then with jamf composer, I created an "Update" that would add the updated files to the folders. 

Please note that as someone mentioned below, folder names/paths, are different depending on the version. 

efil4xiN
Contributor II

Ty @TrentO 

jclements
New Contributor III

@TrentO Is it possible that your post-install script is only checking SPSS version 28.0.1 or greater? 

 

I've run ibm_spss_fix_log4j-2.0.pkg on two machines and both report "[spss] is not vulnerable."  They're definitely still vulnerable, though.  They have SPSS version 28.0.0.0.  I see in your post-install script, in the lines that define SPSS_VERSION, 28 is defined as 28.0.1*.  Would that prevent my SPSS installs from being scanned properly?

Correct. According to IBM the patch only officially applies to versions 25.0, 26.0, 27.0.1, and 28.0.1. Their recommendation for 27.0.0 and 28.0.0 is to update to the latest modified release then apply the patch. It may be fine to replace the jar files in the non-supported versions, but I did not include them since it’s not recommended. If you want to apply the patch to those versions, you can delete the “.1” from each case statement then rebuild the pkg. 

phons
New Contributor

Each version has different folders in the app. For instance 28.01 has \bin\as-3.3.0.0 but 28.0.0 has \bin\as-3.2.3.0, so I had to separate out the versions and add cases and functions for those two different versions

hcodfrie
Contributor

any change that you can add the 2.17.1 fix from IBM

of course. Thanks for the heads up. I must have missed the notification for the 2.17.1 release. Ill update the pkg shortly.

update 2/1/22: Done