log4j vulnerability in Shiny ?

A vulnerability in log4j has been reported, e.g. GitHub - NCSC-NL/log4shell: Operational information regarding the vulnerability in the Log4j logging library., which is currently being exploited.

We found it is also present in Shiny, e.g. within /shiny-server/node_modules/log4js

Does this represent a potential security risk for the server hosting our Shiny applications? Is there a way to address this ?

Thanks,
Coen

4 Likes

Hi Coen,

Thank you for asking this question and bringing attention to the matter on our community forum!

RStudio has confirmed that CVE-2021-44228 (Log4j vulnerability) is not present in the currently supported versions of RStudio Professional software applications. For a list of our currently supported versions of RStudio Professional software applications, please see RStudio Support - RStudio.

In regards to

We found it is also present in Shiny, e.g. within /shiny-server/node_modules/log4js

Log4j is a logging framework for Java, where as Log4js is a logging framework for JavaScript. As far as I'm aware Log4js does not have the security vulnerability that Log4j does.

Hope this helps ease any concerns you may have!
-Kyle

2 Likes