A vulnerability, CVE-2024-27322, in the R programming language that affects the serialization and deserialization process in the R programming language prior to version 4.4.0 is discovered. This vulnerability can be exploited through R Data Serialization files or R packages, which are often shared between developers and data scientists. An attacker can create malicious RDS files or R packages containing embedded arbitrary R code that executes on the victim's target device upon interaction. R addresses the vulnerability starting from version 4.4.0. We have installed R 4.4.0 on all clusters and recommend using R/4.4.0. Please limit package use to trusted sources. When migrating to R version 4.4, you will need to reinstall the necessary packages. We will perform rolling reboots on all clusters (Pitzer, Ascend, Owens), starting from 9am Thursday June 6th, to address the vulnerability by patching old versions of R.
Display Start:
Tuesday, June 4, 2024
Display End:
Thursday, June 13, 2024
