Vulnerability in R Programming language

Resolution: 
Resolved

Updates on 09/03:

The unpatched older R versions will be removed from the Owens cluster by October 9, 2024. If you are using any of the versions slated for removal, please migrate your R workflows to a secure version as soon as possible.

R Versions to be Deleted from Owens Cluster: R/3.3.1 R/3.3.2 R/3.4.0 R/3.4.2 R/3.5.0 under intel16, R/3.6.0, R/3.6.0-gnu7.3

RStudio Versions to be Deleted from Owens: 3.3.2 3.4.2 3.6.0

Please Note: Owens is nearing the end of its operational life. We recommend transitioning your workflows to other clusters to ensure uninterrupted service. Please reach out to oschelp@osc.edu if you have questions.

Updates on 06/13:

Rolling reboots on all clusters (Pitzer, Ascend, Owens), to address CVE-2024-27322 in the R programming language prior to version 4.4.0, have completed. Users do not need to re-install libraries in the older versions of R. Please contact oschelp@osc.edu if you need any assistance.

Updates on 06/04:

We will perform rolling reboots on all clusters (Pitzer, Ascend, Owens), starting from 9am Thursday June 6th, to address the vulnerability by patching old versions of R.

Original Post:

A vulnerability, CVE-2024-27322, in the R programming language that affects the serialization and deserialization process in the R programming language prior to version 4.4.0 is discovered. This vulnerability can be exploited through R Data Serialization (RDS) files or R packages, which are often shared between developers and data scientists. An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction. [1]

R addresses the vulnerability starting from version 4.4.0. We have installed R 4.4.0 on all clusters and recommend using R/4.4.0. Please limit package use to trusted sources. When migrating to R version 4.4, you will need to reinstall the necessary packages.

We're actively exploring solutions to address the challenges posed by older versions of R and will provide more information soon. Please contact oschelp@osc.edu if you need any assistance.

[1] https://www.cve.org/CVERecord?id=CVE-2024-27322