Is Log4j used in RStudio, and if so is it a way to mitigate the risk

A vulnerability in log4j has been reported, e.g. GitHub - NCSC-NL/log4shell: Operational information regarding the vulnerability in the Log4j logging library. , which is currently being exploited.

I saw in Wikipedia that Rstudio is developer primarily in Java so then the question if Rstudio used log4j come up.

If log4j is used, does this represent a potential security risk for our instances hosting Rstudio, and Is there a way to address this?

Thanks,
Atle

3 Likes

Hi Atle,

Thank you for asking this question and bringing attention to the matter on our community forum!

RStudio has confirmed that CVE-2021-44228 (Log4j vulnerability) is not present in the currently supported versions of RStudio Professional software applications. For a list of our currently supported versions of RStudio Professional software applications, please see RStudio Support - RStudio.

Hope this helps ease any concerns you may have!
-Kyle

3 Likes

Hi Kyle

Would this also apply to the open source version of RStudio Server?

Specifically the latest version available at

https://download2.rstudio.org/server/bionic/amd64/rstudio-server-2021.09.1-372-amd64.deb

Thanks

Josh

Hey Josh,

I can confirm that the open source version is also free of this vulnerability!

-Kyle

4 Likes

Fantastic!

Thanks for confirming

Hi Kyle,

does this also apply to the open source version of Shiny Server?

Many thanks,
Nadine

Hi Nadine,

Shiny Server is written in JavaScript and as such does not contain Log4j. See also log4j vulnerability in Shiny ? - #2 by kyle_hekhuis.

-Kyle

So umm not every support version of the open source Rshiny was in the clear. Shinyproxy has some legacy code apparently that imported log4j but actually didn't do anything with it. Rstudio's package shinycannon was using log4j, but they patched the vulnerability
Read here: Zero-day exploit for Log4j - ShinyProxy - Open Analytics Community Support
And Here: Update Log4j to 2.15.0 · Issue #64 · rstudio/shinycannon · GitHub

Can you update the information to let people know to make sure they are using the latest packages and add-ons for Shiny Server?

Hey there!

ShinyProxy is a product from Open Analytics and is in no way affiliated with RStudio. In regards to shinycannon, that is used as part of shinyloadtest for load testing Shiny apps. Both shinycannon and shinytest are completely separate from Shiny Server and RStudio Connect. For those that do use shinycannon as part of their load testing, we do have a fix for the Log4j vulnerability in progress right now.

3 Likes

Advice/Concern:
Kyle, I do think its important because this is an open source community to keep people up to date on at least which packages have been patched realted to shiny. For example shinytableau is not patched. Its probably not going to be patched as the issue is on the Tableau end. Exploits are not something to mess around with. Its everyone collective responsiblity. Not just Open Analytics or Rstudios

Concern:
People might not be aware that they should still update there shiny related packages.

Praise:
On the other hand, I do want to praise R for being on top of things with patching the issue. So thank you for your honesty.

1 Like

What about the open source version of RStudio Desktop? Is that impacted by log4j?

All supported versions of RStudio IDE (open source and pro), RSTudio Server (open source), and RStudio Workbench (Pro) do not use Log4J, and are not impacted by this vulnerability.

1 Like