log4j vulnerability in Shiny ?

Hi Coen,

Thank you for asking this question and bringing attention to the matter on our community forum!

RStudio has confirmed that CVE-2021-44228 (Log4j vulnerability) is not present in the currently supported versions of RStudio Professional software applications. For a list of our currently supported versions of RStudio Professional software applications, please see RStudio Support - RStudio.

In regards to

We found it is also present in Shiny, e.g. within /shiny-server/node_modules/log4js

Log4j is a logging framework for Java, where as Log4js is a logging framework for JavaScript. As far as I'm aware Log4js does not have the security vulnerability that Log4j does.

Hope this helps ease any concerns you may have!
-Kyle

2 Likes