As an active UNICOM Intelligence customer, the purpose of this notice is to notify you of an issue introduced in UNICOM Intelligence by the Microsoft® 10 July 2018 security updates, as follows:
UNICOM Intelligence - Interviewer Server, Interview Tier Servers
After installing the July 10, 2018, Security Updates from Microsoft, Interviewer Server session engine registration will fail with the error "Error connecting to DPM: Class not registered".
The error will be logged to both the IVW* and ISE* logs on the server, which are by default saved under <Program Files>\IBM\SPSS\DataCollection\7\Interviewer Server Administration\Logs.
All interviewing functionality on the server will be unavailable.
Per CVE-2018-8202 | .NET Framework Elevation of Privilege Vulnerability, Microsoft has addressed a potential security vulnerability by updating how the .NET Framework activates COM objects. Specifically for COM objects running in IIS, there now appears to be a requirement for the authenticating identity to match the identity of the application pool. Unfortunately, the default configuration for Interviewer Server application pools (SPSS mrInterviewPoolx) has NetworkService as the application pool identity and the anonymous user configured at installation time as the authenticating user for each virtual folder. Given that the two identities are not the same, the .NET Framework blocks the creation of COM objects implemented in .NET.
The full list of Microsoft security updates that contain this fix are listed in the security article for CVE-2018-8202.
The immediate workaround is to uninstall the security update that introduced the fix for CVE-2018-8202.
To resolve the issue, the Application Pool Identity for each of the SPSSmrInterviewPool application pools needs to be configured as the Interviewer Server anonymous user, as configured at install time.
To do this, complete the following steps:
- Open Internet Information Services (IIS) Manager on the impacted Interviewing Tier server.
- Select Application Pools from the management tree and for each of the SPSSmrInterviewPool application pools complete the following steps:
- Select 'Advanced Settings…'
- Under the 'Process Model' section, edit the Identity setting by clicking on the ellipsis (…) button.
- Select the 'Custom account:' option and press the 'Set…' button.
- Enter the User name and Password for the anonymous user configured at install time and then press the OK button for each of the dialog boxes.
- Select the Web Site into which UNICOM Intelligence is installed and complete the following steps for each of the mrIEngWS and SPSSMR virtual folders:
- Under the 'IIS' group, open the 'Authentication' option.
- Select the 'Anonymous Authentication' option and press the 'Edit…' option under 'Actions'.
- Select the 'Application pool identity' option and press the OK button.
- If 'Windows Authentication' is listed, but is not enabled, select the 'Windows Authentication' option and press 'Enable' under 'Actions'.
- Restart the IIS server by selecting the server name from the management tree and pressing the Restart option under Actions.
- From the command-line run the RegIntSvr utility, installed by default at <ProgramFiles>\IBM\SPSS\DataCollection\7\Interviewer Server\Server.
If the updates have been made correctly, session engine registration should return Active status for each instance on the server.