RStudio can confirm that Log4j vulnerabilities CVE-2021-44228 and CVE-2021-45105 are not present in any versions of RStudio Professional software applications.
RStudio can also confirm that the open-source versions of RStudio Desktop, RStudio Server, and Shiny Server are also free from the vulnerabilities.
The only thing using Log4j is shinycannon, which is used as part of shinyloadtest for load testing Shiny apps. Both shinycannon and shinyloadtest are completely separate from Shiny Server and RStudio Connect. For those that do use shinycannon as part of their load testing, an update has been released and we would encourage you to install it at your earliest convenience.
Download the latest release here.
GH: Issue, PR, 1.12 source release
RStudio would also like to provide clarification that Shiny Server uses a Node module called Log4js which is a logging framework for JavaScript. This is not associated with Log4j which is a logging framework for Java. Log4js does not contain the vulnerability that Log4j does.
RStudio does note that if your users are using the rJava package, they are therefore using Java, and possibly Java libraries like log4j. Organizations should audit their code if they use rJava.
For a list of our currently supported versions of RStudio Professional software applications, please see here.
Comments