RStudio has confirmed that CVE-2021-44228 (Log4j
vulnerability) is not present in the currently supported versions of RStudio Professional software applications. For a list of our currently supported versions of RStudio Professional software applications, please see RStudio Support - RStudio.
UPDATE - 2021-12-14
We have confirmed that the open source versions of RStudio Desktop, RStudio Server, and Shiny Server are also free from the vulnerability.
Furthermore, we have confirmed that both the open source and pro versions of RStudio Desktop, RStudio Server/RStudio Workbench, and Shiny Server have never used Log4j
so older versions should be free of the vulnerability as well.
The only thing we have found using Log4j
so far is shinycannon
, which is used as part of shinyloadtest
for load testing Shiny apps. Both shinycannon
and shinytest
are completely separate from Shiny Server and RStudio Connect. For those that do use shinycannon
as part of their load testing, we do have a fix for the Log4j
vulnerability in progress right now.
I would also like to provide clarification that Shiny Server uses a Node module called Log4js
which is a logging framework for JavaScript. This is not associated with Log4j
which is a logging framework for Java. Log4js
does not contain the vulnerability that Log4j
does.
UPDATE - 2021-12-15
We have confirmed that RStudio Connect has never used Java nor Log4j
. This means all older versions of RStudio Connect should also be free of the vulnerability.
Since it is possible to use Java in R via the rJava
R package, and thus possibly Java libraries like Log4j
, we would suggest that everyone perform audits on their own R code for this vulnerability if they use rJava
.
UPDATE - 2021-12-16
We have released version 1.1.2
of shinycannon
which updates Log4j
to version 2.16.0
. This fixes the initial CVE-2021-44228 Log4j
vulnerability as well as the CVE-2021-45046 Log4j
vulnerability introduced in Log4j
version 2.15.0
. Anyone using shinycannon
should update to this newest version as soon as possible.
We have found older (and no longer supported) versions of RStudio Pro Drivers contained an instance of Log4j
inside the MongoDB drivers (under rstudio-drivers/mongodb/bin/Tools/SchemaEditor/app/libs
). However, the currently supported versions of RStudio Pro Drivers do not contain the rstudio-drivers/mongodb/bin/Tools/SchemaEditor
folder anymore. Thus, as stated earlier, our currently supported versions of our products do not have the vulnerability.
All further questions or concerns in relation to RStudio's products and the Log4j
vulnerability should be directed to security@rstudio.com.