Hello,

we are currently still using SPSS 24, what about the vulnerability there? In the official documentation from IBM support there are only fixes for versions >=25. Is version 24 still affected or not? If yes, will there be a hotfix for it?

------------------------------
Fabian Schäfer
------------------------------

#SPSSStatistics

Hi, Fabian.

Unfortunately, SPSS 24 reached its "End-Of-Support" as of last September. A fix is not in the works for that version.

------------------------------
Rick Marcantonio
Quality Assurance
IBM
------------------------------

Original Message:
Sent: Tue December 14, 2021 09:06 AM
From: Fabian Schäfer
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hello,

we are currently still using SPSS 24, what about the vulnerability there? In the official documentation from IBM support there are only fixes for versions >=25. Is version 24 still affected or not? If yes, will there be a hotfix for it?

------------------------------
Fabian Schäfer
------------------------------

#SPSSStatistics

Latest: A developer has let me know that Statistics v24 is not vulnerable to that issue. 

------------------------------
Rick Marcantonio
Quality Assurance
IBM
------------------------------

Original Message:
Sent: Tue December 14, 2021 09:06 AM
From: Fabian Schäfer
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hello,

we are currently still using SPSS 24, what about the vulnerability there? In the official documentation from IBM support there are only fixes for versions >=25. Is version 24 still affected or not? If yes, will there be a hotfix for it?

------------------------------
Fabian Schäfer
------------------------------

#SPSSStatistics

FYI, there is another less severe CVE on log4j 1.x: https://access.redhat.com/security/cve/CVE-2021-4104. Upgrading Statistics is the recommended solution.

------------------------------
Curtis Browning
SPSS Statistics Architect
------------------------------

Original Message:
Sent: Tue December 14, 2021 10:30 AM
From: Rick Marcantonio
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Latest: A developer has let me know that Statistics v24 is not vulnerable to that issue. 

------------------------------
Rick Marcantonio
Quality Assurance
IBM

Original Message:
Sent: Tue December 14, 2021 09:06 AM
From: Fabian Schäfer
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hello,

we are currently still using SPSS 24, what about the vulnerability there? In the official documentation from IBM support there are only fixes for versions >=25. Is version 24 still affected or not? If yes, will there be a hotfix for it?

------------------------------
Fabian Schäfer
------------------------------

#SPSSStatistics

Hi Rick,
Are you able to confirm if this is the case for versions 22 to 24 as well or is it still recommended update immediately?

------------------------------
Antonio Iacoviello
------------------------------

Original Message:
Sent: Tue December 14, 2021 10:30 AM
From: Rick Marcantonio
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Latest: A developer has let me know that Statistics v24 is not vulnerable to that issue. 

------------------------------
Rick Marcantonio
Quality Assurance
IBM

Original Message:
Sent: Tue December 14, 2021 09:06 AM
From: Fabian Schäfer
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hello,

we are currently still using SPSS 24, what about the vulnerability there? In the official documentation from IBM support there are only fixes for versions >=25. Is version 24 still affected or not? If yes, will there be a hotfix for it?

------------------------------
Fabian Schäfer
------------------------------

#SPSSStatistics

Hi. Stats 24 and prior are using log4j v 1.x, not 2.x, so they should be OK.

------------------------------
Rick Marcantonio
Quality Assurance
IBM
------------------------------

Original Message:
Sent: Wed December 15, 2021 12:39 PM
From: Antonio Iacoviello
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hi Rick,
Are you able to confirm if this is the case for versions 22 to 24 as well or is it still recommended update immediately?

------------------------------
Antonio Iacoviello

Original Message:
Sent: Tue December 14, 2021 10:30 AM
From: Rick Marcantonio
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Latest: A developer has let me know that Statistics v24 is not vulnerable to that issue. 

------------------------------
Rick Marcantonio
Quality Assurance
IBM

Original Message:
Sent: Tue December 14, 2021 09:06 AM
From: Fabian Schäfer
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hello,

we are currently still using SPSS 24, what about the vulnerability there? In the official documentation from IBM support there are only fixes for versions >=25. Is version 24 still affected or not? If yes, will there be a hotfix for it?

------------------------------
Fabian Schäfer
------------------------------

#SPSSStatistics

Thanks Rick, would you advise we stay on SPSS 22 until IBM release new patch guidance in line with findings patched in log4j 2.16?

------------------------------
Antonio Iacoviello
------------------------------

Original Message:
Sent: Wed December 15, 2021 03:48 PM
From: Rick Marcantonio
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hi. Stats 24 and prior are using log4j v 1.x, not 2.x, so they should be OK.

------------------------------
Rick Marcantonio
Quality Assurance
IBM

Original Message:
Sent: Wed December 15, 2021 12:39 PM
From: Antonio Iacoviello
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hi Rick,
Are you able to confirm if this is the case for versions 22 to 24 as well or is it still recommended update immediately?

------------------------------
Antonio Iacoviello

Original Message:
Sent: Tue December 14, 2021 10:30 AM
From: Rick Marcantonio
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Latest: A developer has let me know that Statistics v24 is not vulnerable to that issue. 

------------------------------
Rick Marcantonio
Quality Assurance
IBM

Original Message:
Sent: Tue December 14, 2021 09:06 AM
From: Fabian Schäfer
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hello,

we are currently still using SPSS 24, what about the vulnerability there? In the official documentation from IBM support there are only fixes for versions >=25. Is version 24 still affected or not? If yes, will there be a hotfix for it?

------------------------------
Fabian Schäfer
------------------------------

#SPSSStatistics

It's fine to stay with v22 for the time being, but please do check back after the first week of the new year or so. You're going to want to upgrade to a supported version and this issue is no reason to wait too long.

------------------------------
Rick Marcantonio
Quality Assurance
IBM
------------------------------

Original Message:
Sent: Wed December 15, 2021 04:12 PM
From: Antonio Iacoviello
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Thanks Rick, would you advise we stay on SPSS 22 until IBM release new patch guidance in line with findings patched in log4j 2.16?

------------------------------
Antonio Iacoviello

Original Message:
Sent: Wed December 15, 2021 03:48 PM
From: Rick Marcantonio
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hi. Stats 24 and prior are using log4j v 1.x, not 2.x, so they should be OK.

------------------------------
Rick Marcantonio
Quality Assurance
IBM

Original Message:
Sent: Wed December 15, 2021 12:39 PM
From: Antonio Iacoviello
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hi Rick,
Are you able to confirm if this is the case for versions 22 to 24 as well or is it still recommended update immediately?

------------------------------
Antonio Iacoviello

Original Message:
Sent: Tue December 14, 2021 10:30 AM
From: Rick Marcantonio
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Latest: A developer has let me know that Statistics v24 is not vulnerable to that issue. 

------------------------------
Rick Marcantonio
Quality Assurance
IBM

Original Message:
Sent: Tue December 14, 2021 09:06 AM
From: Fabian Schäfer
Subject: SPSS 24 - Apache Log4j Remote Code Execution Vulnerability

Hello,

we are currently still using SPSS 24, what about the vulnerability there? In the official documentation from IBM support there are only fixes for versions >=25. Is version 24 still affected or not? If yes, will there be a hotfix for it?

------------------------------
Fabian Schäfer
------------------------------

#SPSSStatistics