[R-pkg-devel] log4j (CVE-2021-44228) & rJava CRAN pkgs (spoiler: no issues!)

Bob Rudis bob @end|ng |rom rud@|@
Sun Dec 12 14:55:46 CET 2021


Hey folks,

If you haven't heard abt the log4j vuln from Friday yet, I envy you
and def want to know how you managed to do that.

For folks who develop Java-backed packages, pls be aware there's an
arbitrary code execution issue with log4j v2 <= 2.15.0 (NOTE log4j v1
1.x are not impacted).

Thanks to a q by Sir Leeper, I've scanned all of CRAN with —
https://github.com/mergebase/log4j-detector — (and looked for the
log4j v2 jar directly) and it's all good, but wanted to let folks know
abt that tool and suggest that you run that in new packages or if you
update your old ones.

The odds of any R environment being impacted by this vulnerability
were super slim (to almost none) to begin with and — if the tool is
accurate — it's 0.

This is a technical but rly good Reddit thread on the log4j issue if
folks want some bedtime reading:
https://www.reddit.com/r/blueteamsec/comments/rd38z9/log4j_0day_being_exploited/

-boB



More information about the R-package-devel mailing list