[R] R For Windows - Apache Log4J Vulnerability Inquiry

Ivan Krylov kry|ov@r00t @end|ng |rom gm@||@com
Tue Dec 14 18:47:37 CET 2021

On Tue, 14 Dec 2021 14:37:47 +0000
"Franklin, Mark via R-help" <r-help using r-project.org> wrote:

> Would you be able to confirm if R for Windows v3.1.1 is impacted by
> this vulnerability?

R itself isn't written in Java, so it cannot, but the third-party Java
code that you might be calling using rJava might be.

Bob Rudis has been very kind to scan the CRAN [*] looking for packages
written in Java that might bundle the vulnerable version of log4j, and
didn't find any, but your environment may contain different versions of
packages from different sources, and those might still be vulnerable.

There could be other vulnerabilities in R v3.1.1, some of them fixed
since 2014.

Best regards,

[*] https://stat.ethz.ch/pipermail/r-package-devel/2021q4/007589.html

More information about the R-help mailing list