Log4j Vulnerability in IBM SPSS Statistics for Mac

IBM SPSS Statistics is a popular statistical software platform. On December 9th, 2021, a serious vulnerability was first discovered in the popular Log4j Java logging library used in several popular software packages, including IBM SPSS Statistics. This vulnerability affects all versions of SPSS.

IT Services currently supports version 28.0.1 and is assisting all users of SPSS to apply required patches to address Log4j vulnerability.

All Mac users will need to follow instructions in this article to ensure you have the latest version of SPSS installed, and to install the required security patch. You must take action as soon as possible to protect your computer from being compromised. You will first need to remove it from your computer and replace it with version 28.0.1 so that you can apply Log4j vulnerability patch.

Checking Version of SPSS

To check what version of SPSS you have installed on your computer, launch IBM SPSS Statistics and make a note of the version number that appears on the splash screen.

Uninstalling SPSS

For IBM SPSS Statistics versions 19 and up, you can drag the installation folder to the Trash to uninstall. Here is the uninstall procedure for different versions:

Versions 23, 22 and 21

NOTE: for version 21 or 22 replace 23 with 21 for the folder and file names

1. Drag the installation folder to the Trash. By default, this is /Applications/IBM/SPSS/Statistics/23
2. In your Home folder, browse to Library/Preferences.
3. Drag com.ibm.spss.plist to the Trash. Note that this file is used by IBM SPSS Statistics, IBM SPSS Statistics Student Version, and IBM SPSS Smartreader. If any of these applications are still installed, you should not remove this file.
4. In your Home folder, drag Library/Application Support/IBM/SPSS/Statistics/22/Eclipse/ to the Trash.
5. If desired, remove any custom dialogs that you installed by dragging them to the Trash from /Library/Application Support/IBM/SPSS/Statistics/23/CustomDialogs/.
6. If desired, remove any extension commands that you installed by dragging them to the Trash from /Library/Application Support/IBM/SPSS/Statistics/23/extensions/.
7. Empty the Trash.

Version 20

1. Drag the installation folder to the Trash. By default, this is: /Applications/IBM/SPSS/Statistics/20.
2. In your Home folder, browse to Library/Preferences.
3. Drag com.ibm.spss.plist to the Trash. Note that this file is used by IBM SPSS Statistics, IBM SPSS Statistics Student Version, and IBM SPSS Smartreader. If any of these applications are still installed, you should not remove this file.
4. In Finder, press Shift+Command+G to go to a folder.
5. Type ~/.eclipse and click Go.
6. Drag "com.ibm.spss.statistics.help_20" folder to the Trash.
7. If desired, remove any custom dialogs that you installed by dragging them to the Trash from /Library/Application Support/IBM/SPSS/Statistics/20/CustomDialogs/
8. Empty the Trash.

Installing SPSS 28.0.1

To install the latest supported version of SPSS, please follow instructions included in this KB article:

• Downloading and Installing IBM SPSS Statistics

Applying Log4j Patch

In order to apply the Log4j patch, you will need to locate and replace three affected files the SPSS 28 installation directory following these steps:

1. Download the three files attached to this article (see Files section on the right) saving them in the Downloads folder on your hard drive.
2. Close the SPSS app, if you have it running.
3. Launch Finder and navigate to the SPSS 28 installation directory.
4. Locate and open a subfolder SPSS Statistics.app/Contents/bin & SPSS Statistics.app/Contents/bin/as-3.3.0.0/lib
5. Locate these three files and delete each one of them:
   • log4j-core-2.13.3.jar
   • log4j-api-2.13.3.jar
   • log4j-1.2-api-2.13.3.jar 
6. Move the three files that you downloaded in step 1 from your Downloads folder to the subfolder replacing files that you deleted in step  5