SPSS Statistics

 View Only
  • 1.  SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

    Posted Tue December 14, 2021 09:07 AM
    Hello,

    we are currently still using SPSS 24, what about the vulnerability there? In the official documentation from IBM support there are only fixes for versions >=25. Is version 24 still affected or not? If yes, will there be a hotfix for it?

    ------------------------------
    Fabian Schäfer
    ------------------------------


  • 2.  RE: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

    Posted Tue December 14, 2021 09:26 AM
    Hi, Fabian.

    Unfortunately, SPSS 24 reached its "End-Of-Support" as of last September. A fix is not in the works for that version.

    ------------------------------
    Rick Marcantonio
    Quality Assurance
    IBM
    ------------------------------



  • 3.  RE: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

    Posted Tue December 14, 2021 10:31 AM
    Latest: A developer has let me know that Statistics v24 is not vulnerable to that issue. 

    ------------------------------
    Rick Marcantonio
    Quality Assurance
    IBM
    ------------------------------



  • 4.  RE: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

    Posted Wed December 15, 2021 09:39 AM
    FYI, there is another less severe CVE on log4j 1.x: https://access.redhat.com/security/cve/CVE-2021-4104. Upgrading Statistics is the recommended solution.

    ------------------------------
    Curtis Browning
    SPSS Statistics Architect
    ------------------------------



  • 5.  RE: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

    Posted Wed December 15, 2021 03:42 PM
    Hi Rick,
    Are you able to confirm if this is the case for versions 22 to 24 as well or is it still recommended update immediately?

    ------------------------------
    Antonio Iacoviello
    ------------------------------



  • 6.  RE: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

    Posted Wed December 15, 2021 03:49 PM
    Hi. Stats 24 and prior are using log4j v 1.x, not 2.x, so they should be OK.

    ------------------------------
    Rick Marcantonio
    Quality Assurance
    IBM
    ------------------------------



  • 7.  RE: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

    Posted Wed December 15, 2021 04:12 PM
    Thanks Rick, would you advise we stay on SPSS 22 until IBM release new patch guidance in line with findings patched in log4j 2.16?

    ------------------------------
    Antonio Iacoviello
    ------------------------------



  • 8.  RE: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

    Posted Wed December 15, 2021 04:43 PM
    It's fine to stay with v22 for the time being, but please do check back after the first week of the new year or so. You're going to want to upgrade to a supported version and this issue is no reason to wait too long.

    ------------------------------
    Rick Marcantonio
    Quality Assurance
    IBM
    ------------------------------