R Vulnerability

Owned by Lisa Stafford
Last updated: May 24, 2024
2 min read

Please be aware of a vulnerability in the R language in all versions prior to R version 4.4.0. Here are several announcements about the vulnerability: 
https://www.cisa.gov/news-events/alerts/2024/05/01/certcc-reports-r-programming-language-vulnerability

https://kb.cert.org/vuls/id/238194  :   “A vulnerability in the R language that allows for arbitrary code to be executed directly after the deserialization of untrusted data has been discovered. This vulnerability can be exploited through RDS (R Data Serialization) format files and .rdx files. An attacker can create malicious RDS or .rdx formatted files to execute arbitrary commands on the victim's target device.”

We encourage all of our R users to migrate to R version 4.4.0, and off of prior versions of R (4.3.x or earlier) at your earliest convenience. To assist you with this migration we have installed modules for R version 4.4.0 on the Beartooth HPC Environment:

r/4.4.0
r-rmpi/0.7-1-ompi-r4.4

These modules are available via the “module …” commands as well as in OnDemand. The R/4.4.0 module is now the default R module on Beartooth, Loren and Wildiris HPC Clusters and will be the only R module available on MedicineBow. These modules include the R packages we typically include in our earlier R modules. If you have installed any libraries yourself you will need to re-install those libraries in R version 4.4.0, as those installations are version-specific.

We intend to disable ARCC’s older R modules on Beartooth by Friday June 28th, 2024.

If you have installed your own copy of R, via conda or some other method, you are welcome to use ARCC’s R modules. We encourage you to upgrade your personally installed version of R to 4.4.0.

Please let us know if you have any questions by writing to us at arcc-help@uwyo.edu