R Language OpenSSL Vulnerability

Hello,

We provide our data scientists with ec2 instances that have statistical analysis software on them, including r-studio. These ec2s use Amazon Linux 2. We have recently been flagged for instances that we administrate that contain versions of openssl that are vulnerable to CVE-2022-1292, and the application (tenable) flags specific r-paths like this:

/opt/R/3.6.3/lib/R/library/openssl/libs/openssl.so

This path is showing the installed path of the R openssl package, and we've so far been unable to conclusively prove if this library is part of the system installed openssl package, or if the openssl R package is installing its own openssl dependency. If I load the package in R studio and then run sessionInfo(), I'm given the following version: OpenSSL 1.0.2k-fips 26 Jan 2017 (FIPS) - this matches the installed system version, which we know to be patch for the vulnerability, but since the .so library is not being 'managed' by our system, it's flagged as vulnerable.

For contrast, here is a (not vulnerable path): /usr/local/ssl/bin/openssl, which provides the same version: OpenSSL 1.0.2k-fips 26 Jan 2017 (FIPS). The key difference is that I can run the following to definitively point to a patched version:

> rpm -qf /usr/bin/openssl                                                                                                                                                                                    
openssl-1.0.2k-24.amzn2.0.12.x86_64

Whereas if I run the above command on the R provided path, I don't get any helpful output

> rpm -qf /opt/R/3.6.3/lib/R/library/openssl/libs/openssl.so                                                                                                                                                  
file /opt/R/3.6.3/lib/R/library/openssl/libs/openssl.so is not owned by any package

The reason I was hoping to get some insight into how R/Rstudio manages system dependencies like this, and whether or not there's a way to show if they're using the underlying system package or providing their own bundled version of the openssl library.

Thanks!

Hi @linusfy -

I think the answer you are looking for depends on how R gets onto the AMI that you are supporting. This StackOverflow answer implies that there are two versions of R on linux, and if you choose the r-cran-openssl version, OpenSSL will get installed/is compiled as part of the R binary.

Best,
Randy