RStudio has confirmed that CVE-2021-44228 (
Log4j vulnerability) is not present in the currently supported versions of RStudio Professional software applications. For a list of our currently supported versions of RStudio Professional software applications, please see RStudio Support - RStudio.
UPDATE - 2021-12-14
We have confirmed that the open source versions of RStudio Desktop, RStudio Server, and Shiny Server are also free from the vulnerability.
Furthermore, we have confirmed that both the open source and pro versions of RStudio Desktop, RStudio Server/RStudio Workbench, and Shiny Server have never used
Log4j so older versions should be free of the vulnerability as well.
The only thing we have found using
Log4j so far is
shinycannon, which is used as part of
shinyloadtest for load testing Shiny apps. Both
shinytest are completely separate from Shiny Server and RStudio Connect. For those that do use
shinycannon as part of their load testing, we do have a fix for the
Log4j vulnerability in progress right now.
I would also like to provide clarification that Shiny Server uses a Node module called
Log4j which is a logging framework for Java.
Log4js does not contain the vulnerability that
UPDATE - 2021-12-15
We have confirmed that RStudio Connect has never used Java nor
Log4j. This means all older versions of RStudio Connect should also be free of the vulnerability.
Since it is possible to use Java in R via the
rJava R package, and thus possibly Java libraries like
Log4j, we would suggest that everyone perform audits on their own R code for this vulnerability if they use
UPDATE - 2021-12-16
We have released version
shinycannon which updates
2.16.0. This fixes the initial CVE-2021-44228
Log4j vulnerability as well as the CVE-2021-45046
Log4j vulnerability introduced in
2.15.0. Anyone using
shinycannon should update to this newest version as soon as possible.
We have found older (and no longer supported) versions of RStudio Pro Drivers contained an instance of
Log4j inside the MongoDB drivers (under
rstudio-drivers/mongodb/bin/Tools/SchemaEditor/app/libs). However, the currently supported versions of RStudio Pro Drivers do not contain the
rstudio-drivers/mongodb/bin/Tools/SchemaEditor folder anymore. Thus, as stated earlier, our currently supported versions of our products do not have the vulnerability.
All further questions or concerns in relation to RStudio's products and the
Log4j vulnerability should be directed to email@example.com.