Franklin, Mark
2021-Dec-14 14:37 UTC
[R] R For Windows - Apache Log4J Vulnerability Inquiry
Hello R-Help, Due to the latest remote code execution vulnerability (CVE-2021-44228<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>) in Apache Log4J.. Would you be able to confirm if R for Windows v3.1.1 is impacted by this vulnerability? ApplicationName Vendor Vendor Info MH01W-R for Windows v3.1.1 The R Project https://www.r-project.org/ If this is not the correct email contact, would you be able to provide the appropriate contact? Thanks, Mark Franklin | Business Support Analyst | RBC Global Asset Management _______________________________________________________________________ If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference. Si vous recevez ce courriel par erreur, veuillez en aviser l'exp?diteur imm?diatement, par retour de courriel ou par un autre moyen. Vous avez accept? de recevoir le(s) document(s) ci-joint(s) par voie ?lectronique ? l'adresse courriel indiqu?e ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future. [[alternative HTML version deleted]]
On Tue, 14 Dec 2021 14:37:47 +0000 "Franklin, Mark via R-help" <r-help at r-project.org> wrote:> Would you be able to confirm if R for Windows v3.1.1 is impacted by > this vulnerability?R itself isn't written in Java, so it cannot, but the third-party Java code that you might be calling using rJava might be. Bob Rudis has been very kind to scan the CRAN [*] looking for packages written in Java that might bundle the vulnerable version of log4j, and didn't find any, but your environment may contain different versions of packages from different sources, and those might still be vulnerable. There could be other vulnerabilities in R v3.1.1, some of them fixed since 2014. -- Best regards, Ivan [*] https://stat.ethz.ch/pipermail/r-package-devel/2021q4/007589.html