Updates on 06/13:
Rolling reboots on all clusters (Pitzer, Ascend, Owens), to address CVE-2024-27322 in the R programming language prior to version 4.4.0, have completed. Users do not need to re-install libraries in the older versions of R. Please contact oschelp@osc.edu if you need any assistance.
Updates on 06/04:
We will perform rolling reboots on all clusters (Pitzer, Ascend, Owens), starting from 9am Thursday June 6th, to address the vulnerability by patching old versions of R.
Original Post:
A vulnerability, CVE-2024-27322, in the R programming language that affects the serialization and deserialization process in the R programming language prior to version 4.4.0 is discovered. This vulnerability can be exploited through R Data Serialization (RDS) files or R packages, which are often shared between developers and data scientists. An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim’s target device upon interaction. [1]
R addresses the vulnerability starting from version 4.4.0. We have installed R 4.4.0 on all clusters and recommend using R/4.4.0. Please limit package use to trusted sources. When migrating to R version 4.4, you will need to reinstall the necessary packages.
We're actively exploring solutions to address the challenges posed by older versions of R and will provide more information soon. Please contact oschelp@osc.edu if you need any assistance.