RStudio has confirmed that CVE-2021-44228 (Log4j vulnerability) is not present in the currently supported versions of RStudio Professional software applications. For a list of our currently supported versions of RStudio Professional software applications, please see RStudio Support - RStudio.
UPDATE - 2021-12-14
We have confirmed that the open source versions of RStudio Desktop, RStudio Server, and Shiny Server are also free from the vulnerability.
Furthermore, we have confirmed that both the open source and pro versions of RStudio Desktop, RStudio Server/RStudio Workbench, and Shiny Server have never used Log4j so older versions should be free of the vulnerability as well.
The only thing we have found using Log4j so far is shinycannon, which is used as part of shinyloadtest for load testing Shiny apps. Both shinycannon and shinytest are completely separate from Shiny Server and RStudio Connect. For those that do use shinycannon as part of their load testing, we do have a fix for the Log4j vulnerability in progress right now.
I would also like to provide clarification that Shiny Server uses a Node module called Log4js which is a logging framework for JavaScript. This is not associated with Log4j which is a logging framework for Java. Log4js does not contain the vulnerability that Log4j does.
UPDATE - 2021-12-15
We have confirmed that RStudio Connect has never used Java nor Log4j. This means all older versions of RStudio Connect should also be free of the vulnerability.
Since it is possible to use Java in R via the rJava R package, and thus possibly Java libraries like Log4j, we would suggest that everyone perform audits on their own R code for this vulnerability if they use rJava.
UPDATE - 2021-12-16
We have released version 1.1.2 of shinycannon which updates Log4jto version 2.16.0. This fixes the initial CVE-2021-44228 Log4j vulnerability as well as the CVE-2021-45046 Log4j vulnerability introduced in Log4j version 2.15.0. Anyone using shinycannon should update to this newest version as soon as possible.
We have found older (and no longer supported) versions of RStudio Pro Drivers contained an instance of Log4j inside the MongoDB drivers (under rstudio-drivers/mongodb/bin/Tools/SchemaEditor/app/libs). However, the currently supported versions of RStudio Pro Drivers do not contain the rstudio-drivers/mongodb/bin/Tools/SchemaEditor folder anymore. Thus, as stated earlier, our currently supported versions of our products do not have the vulnerability.
All further questions or concerns in relation to RStudio's products and the Log4j vulnerability should be directed to security@rstudio.com.