On Tue, 14 Dec 2021 14:37:47 +0000 "Franklin, Mark via R-help" <r-help@r-project.org> wrote:
> Would you be able to confirm if R for Windows v3.1.1 is impacted by > this vulnerability? R itself isn't written in Java, so it cannot, but the third-party Java code that you might be calling using rJava might be. Bob Rudis has been very kind to scan the CRAN [*] looking for packages written in Java that might bundle the vulnerable version of log4j, and didn't find any, but your environment may contain different versions of packages from different sources, and those might still be vulnerable. There could be other vulnerabilities in R v3.1.1, some of them fixed since 2014. -- Best regards, Ivan [*] https://stat.ethz.ch/pipermail/r-package-devel/2021q4/007589.html ______________________________________________ R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see https://stat.ethz.ch/mailman/listinfo/r-help PLEASE do read the posting guide http://www.R-project.org/posting-guide.html and provide commented, minimal, self-contained, reproducible code.
