RStudio has confirmed that it is not affected by the current log4j / CVE-2021-44228 security issue. However, it has not become clear to me whether there might be any r packages with a log4j dependency. I'm most interested in the tidyverse package and other packages that are broadly used such as the xlsx package.
Here's a discussion on how to detect whether installed r packages have a Java dependency.
Probably not.
The only packages that would a priori be affected would be those that depend — directly or indirectly — on Java components, since the log4j vulnerability itself only affects Java code using the log4j Java pacakge.
Bob Rudis scanned for potential vulnerabilities in packages hosted on CRAN and posted the results on the R-pkg-devel mailing list:
I've scanned all of CRAN with — https://github.com/mergebase/log4j-detector — (and looked for the log4j v2 jar directly) and it's all good […]
The odds of any R environment being impacted by this vulnerability were super slim (to almost none) to begin with and — if the tool is accurate — it's 0.
You can also verify with following script on any installation location:
find . -name '*.jar' | grep -i 'log4j-' | xargs grep 'JndiLookup'
after you identify the jars which are impacted, you can correct with following script:
find . -name 'log4j-core-2.[0-9].*jar' | while read dir;do zip -q -d $dir org/apache/logging/log4j/core/lookup/JndiLookup.class; echo $dir ; done
