Posit provides patched binaries for R versions 4.0.0 and above

On April 29, 2024, security researchers at HiddenLayer discovered a security vulnerability (CVE-2024-27322) in the R programming language which could allow attackers to execute arbitrary code by exploiting R’s data serialization process (RDS). The R Core team patched this vulnerability in R version 4.4.0 in collaboration with HiddenLayer researchers, providing a recent version of R mitigating the vulnerability.

Posit maintains the r-builds project, which orchestrates tools to produce binaries of R for popular Linux distributions as a community resource. Our engineers have created patched binaries for R versions 4.0.0 and above by backporting the same fix the R Core and HiddenLayer teams implemented in R 4.4.0. These R binaries are available for anyone to use, and they are not professionally supported by Posit. Posit does not distribute R binaries for macOS and Windows. Mac and Windows users should upgrade to R 4.4.0 using the binaries provided by CRAN.

Taking action to disable older versions of R in products like Posit Workbench and Posit Connect can result in broken code and deployed content. We recommend auditing the versions of R in use on your server before creating your response plan. Work with R developers to ensure code runs as intended in a staging environment before making widespread changes. R developers should update and republish content to Posit Connect; Connect’s runtime cache invalidation and rebuild tools are not an effective content upgrade strategy.

Posit is also working closely with our partners to ensure that our integrated product offerings like RStudio on Amazon SageMaker include patched and upgraded R versions. R versions < 4.0.0 will be removed from these integrated offerings in the near future.

Posit’s Linux binaries for R versions 4.0.0 - 4.3.3 provide an alternative to an immediate upgrade to R version 4.4.0, which may not be possible or advisable in all environments. Administrators can install a patched R binary to replace an existing R installation of the same version in place. Administrators should work with R developers to create a plan for installing a patched binary and testing code and deployed content.

To confirm that an R installation has been patched, you can check the top of the R NEWS file for a note we’ve added, e.g. by running news() in R:

> options(browser = "false")
> news(grepl("CVE-2024-27322", Text))

                        Changes in version 4.3.3                        

CHANGES IN POSIT'S BUILD FROM <https://github.com/rstudio/r-builds>

    o   readRDS() and unserialize() now signal an error instead of
    returning a PROMSXP, to fix CVE-2024-27322.

If you choose to upgrade to a new major version of R as part of your response plan, users will be required to reinstall any R packages. In addition to providing precompiled binaries of R for Linux, Posit also provides precompiled binaries of R packages from CRAN via Posit Public Package Manager. These package binaries are much faster to install than source packages and are available via historical snapshots, making the process of reinstalling packages after upgrading R faster and more reproducible.