To the UCB-Security community,
This is a notice from the Information Security Office to alert you to a vulnerability that impacts the R programming language[1]. Please share this alert internally with IT admins, service owners, and researchers who run the product so they are aware and know what actions to take to address this vulnerability.
Summary
R is a programming language widely used in research communities for statistical analysis and even in Artificial Intelligence and Machine Learning. ISO is aware of a critical vulnerability that affects the serialization and deserialization process in the R programming language prior to version 4.4.0 [2]. Specifically, the vulnerability exists in the parsing of R Data Serialization (RDS) files that may be shared with packages[3]. Malicious actors only need to change one of the RDS files to exploit the vulnerability and could make that change to packages that are shared widely in the R community[4].
Impact
The vulnerability, if exploited, can allow malicious actors to run arbitrary commands on the system using R. These commands will run with the permissions of the environment the program is executed in, and could be leveraged to further compromise systems.
What is vulnerable
-
R versions prior to 4.4.0
Recommendations
-
Upgrade all R installations to use version 4.4.0 or later
-
Limit the use of R packages to known good sources