Updates on 09/03:
The unpatched older R versions will be removed from the Owens cluster by October 9, 2024. If you are using any of the versions slated for removal, please migrate your R workflows to a secure version as soon as possible.
R Versions to be Deleted from Owens Cluster: R/3.3.1 R/3.3.2 R/3.4.0 R/3.4.2 R/3.5.0 under intel16, R/3.6.0, R/3.6.0-gnu7.3
RStudio Versions to be Deleted from Owens: 3.3.2 3.4.2 3.6.0
Please Note: Owens is nearing the end of its operational life. We recommend transitioning your workflows to other clusters to ensure uninterrupted service. Please reach out to oschelp@osc.edu if you have questions.
Updates on 06/13:
Rolling reboots on all clusters (Pitzer, Ascend, Owens), to address CVE-2024-27322 in the R programming language prior to version 4.4.0, have completed. Users do not need to re-install libraries in the older versions of R. Please contact oschelp@osc.edu if you need any assistance.
Updates on 06/04:
We will perform rolling reboots on all clusters (Pitzer, Ascend, Owens), starting from 9am Thursday June 6th, to address the vulnerability by patching old versions of R.
Original Post:
A vulnerability, CVE-2024-27322, in the R programming language that affects the serialization and deserialization process in the R programming language prior to version 4.4.0 is discovered. This vulnerability can be exploited through R Data Serialization (RDS) files or R packages, which are often shared between developers and data scientists. An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction. [1]
R addresses the vulnerability starting from version 4.4.0. We have installed R 4.4.0 on all clusters and recommend using R/4.4.0. Please limit package use to trusted sources. When migrating to R version 4.4, you will need to reinstall the necessary packages.
We're actively exploring solutions to address the challenges posed by older versions of R and will provide more information soon. Please contact oschelp@osc.edu if you need any assistance.