R Language Vulnerability
Notice: Vulnerability in R Programming Language
Dear UBC Researchers,
In late April, a vulnerability was announced in the R programming language that may permit arbitrary code execution by deserializing untrusted data, e.g., downloaded or sourced from the internet. We are contacting you for awareness and action to update versions to the most recent patched version.
UBC’s cybersecurity team has issued some information on this: https://cc.cybersecurity.ubc.ca/vulnerabilities/cve-2024-27322/(CWL login required to access).
A good summary of the issue can be found here: https://cyberint.com/blog/research/new-vulnerability-in-rs-deserialization-discovered/
Actions required:
- Update R core to version 4.4.0 or later promptly. Updates can be found on the R Core site: https://cran.rstudio.com/
- Until then, avoid interaction with untrusted RDS files or packages to mitigate risks.
Servers running implementations or R have been patched and business owners advised.
All instructional computer labs have also had updates applied after the exam period concluded.
Currently IT Services/Research Computing does not have pre-built packages for deployment to employee devices. The update will need to be handled manually.
If you require any advice on updating, please log a ticket and we will have a technician contact you for assistance.
Best regards,
Research Computing
The University of British Columbia | Okanagan Campus | Syilx Okanagan Nation Territory
1138 Alumni Avenue | Kelowna British Columbia | V1V1V7 Canada