IBM SPSS Statistics is a popular statistical software platform. On December 9th, 2021, a serious vulnerability was first discovered in the popular Log4j Java logging library used in several popular software packages, including IBM SPSS Statistics. This vulnerability affects all versions of SPSS.
IT Services currently supports version 28.0.1 and is assisting all users of SPSS to apply required patches to address Log4j vulnerability.
Managed Work Computers
Software on all University workstations is managed by Microsoft Intune device management platform which allows IT Services to automatically install the latest versions of each software along with necessary security patches. We are currently in process of remotely removing older versions of SPSS and installing the latest supported version 28.0.1 with applicable patches. This should be completed by the start of the Winter 2022 semester.
There is no action required from you on any of your managed Windows work computers. Classroom and lab computers are included as well. If your work computer was not yet enrolled into University device management, you can click here to open a ticket to have it enrolled. Select "Join Windows 10 PC to Azure AD" in the Request Type filed on the form.
If you are a Mac user, you will need to follow instructions in this article to ensure you have the latest version of SPSS installed, and to install the required security patch.
Personal and Unmanaged Work Computers
If you are using an older version of SPSS on your personal computer, or if your work computer has not yet been enrolled in University device management system, you must take action as soon as possible to protect your computer from being compromised. You will first need to remove it from your computer and replace it with version 28.0.1 so that you can apply Log4j vulnerability patch.
If you are a Mac user, you will need to follow instructions in this article to ensure you have the latest version of SPSS installed, and to install the required security patch.
Checking Version of SPSS
There are two ways of checking what version of SPSS you have installed on your computer:
- Go to Windows settings and click on Apps, then scroll down the list of installed apps until you find IBM SPSS Statistics. Click on it to see the version number.
- Launch IBM SPSS Statistics and make a note of the version number that appears on the splash screen.
Uninstalling SPSS
To uninstall older version of SPSS from your computer follow these steps:
- Go to Windows settings and click on Apps,
- Scroll down the list of installed apps until you find IBM SPSS Statistics.
- Click on IBM SPSS Statistics to select it.
- Click on Uninstall.
Installing SPSS 28.0.1
To install the latest supported version of IBM SPSS Statistics, please follow instructions included in this KB article:
Applying Log4j Patch
In order to apply the Log4j patch, you will need to locate and replace three affected files the SPSS 28 installation directory following these steps:
- Download the three files attached to this article (see Files section on the right) saving them in the Downloads folder on your hard drive.
- Close the SPSS app, if you have it running.
- Launch Windows File Explorer and navigate to the SPSS 28 installation directory:
C:\Program Files\IBM\SPSS\Statistics\28
- Locate and open a folder called as-3.2.3.0
- Locate and open a folder called lib
- Locate these three files and delete each one of them:
- log4j-core-2.13.3.jar
- log4j-api-2.13.3.jar
- log4j-1.2-api-2.13.3.jar
- Move the three files that you downloaded in step 1 from your Downloads folder to the lib folder replacing files that you deleted in step 6