CVE-2024-27322 - R-bitrary Code Execution
Summary
This R language vulnerability allows an attacker to exploit how R loads packages and other .rds, .rdb., and .rdx files. An attacker who can get a user to load a malicious package or deserialize a malicious RDS formatted file can run arbitrary code.
Response
Posit software is not vulnerable to CVE-2024-27322. Versions of R >= 4.0.0 released by Posit have been patched for CVE-2024-27322. Please see https://docs.posit.co/resources/install-r/ for further information and installation instructions.
Posit recommends that customers take the following actions:
- Upgrade to version R 4.4.0, which is supported in the latest versions of all Posit products, or a patched release of R 4.0.0-4.3.3 (see response note above).
- Note: Taking action to disable older versions of R in products like Posit Connect can result in broken content. Consider auditing the content runtimes in use on your server before creating your response plan. Work with R developers to update and republish content to Connect. Posit Connect’s runtime cache invalidation and rebuild tools are not an effective content upgrade strategy.
- Review code for untrusted or third-party .rds, .rdb, and .rdx files.
- Review internally developed packages for code weaknesses related to deserializing data.
- Use trusted sources for R packages like Posit Package Manager, Posit Public Package Manager, and CRAN.
- Consider using Posit Package Manager to monitor and block reported malicious packages.
- Monitor applications for unauthorized or unusual activity.
Posit recognizes that source files in some Posit GitHub repositories contain examples using readRDS() to deserialize RDS formatted files. Source files using readRDS() or any deserializing function should always be validated.
Posit products are tested on all new versions of R. Please subscribe to product announcements for more on Posit releases.
https://posit.co/about/subscription-management/
References:
Comments