Due to a security vulnerability, all users are advised to update their installation of R to version 4.4.0 or newer as soon as possible (ideally within the next month).
We want to bring to your attention the security risks associated with handling R data files (with the file extension .rds and .rdx). While the University has not experienced any cyber security incidents as a result of this vulnerability, it is imperative to remain vigilant and informed about potential threats and act accordingly.
A vulnerability (CVE-2024-27322) has been identified in the R language that allows attackers to run any code they want without your permission when certain types of (maliciously-crafted) data files are loaded, which could potentially lead to unauthorised access, manipulation of systems or unauthorised exporting of data. This vulnerability affects RDS (R Data Serialization) format files and RDX (R database index) files. Attackers can exploit this by crafting malicious RDS or RDX files to execute arbitrary commands on the target device. The vulnerability arises from how R implements data loading, particularly through the readRDS function, used to load RDS and RDX files. Despite expectations that loaded files don’t run code, this vulnerability allows for unauthorised code execution.
The most concerning aspects of this exploit have been fixed in R 4.4.0 (with 4.4.1 being the newest version at the time of writing) and we strongly recommend that all R users at the University of Sheffield upgrade their R version immediately. However, it is important to note that there will continue to be a risk when using RDS or RDX files from untrusted sources, regardless of whether you are using R >= 4.4.0. As always, members of the University of Sheffield should use their best judgement when running code from sources outside of the University.
The upgrade to R >= 4.4.0 will happen automatically in late July and you will not need to take any further action to update R itself. You will need to recreate your R package library for R >= 4.4.0 - reinstalling any R packages that you currently need/use (using e.g. update.packages()).
We recommend that you have a recent backup of your files before beginning the update.
The versions of R centrally installed on Stanage and Bessemer may be older than 4.4.0. Those installations have recently been updated to include a fix for the vulnerability.
If you’re using R via Conda on Bessemer or Stanage, see the guidance for Conda below.
These are binary files used to store R objects such as data frames, lists, functions, and other R data structures. They are commonly used for saving and loading data within the R programming environment.
Upgrading to R >= 4.4.0 is mandatory as it addresses recent security vulnerabilities. It’s important to remember that even with the latest version there is still a risk with untrusted RDS files.
The time to upgrade to >= 4.4.0 can range from 2 minutes to 30 mins depending on the internet speed and other factors.
Upgrading R versions within Conda or Docker containers is typically straightforward due to their support for a drop-in replacement approach. However, certain considerations and best practices can streamline the process and mitigate potential complexities.
To upgrade R in your Conda environment, you can use the following command:
conda install -c conda-forge r-base>=4.4
Significant changes, such as a compiler or low-level library update, may necessitate updates to every package in the environment. In such cases, creating a new environment based on the same specifications might offer a simpler solution.
To upgrade R in a Docker container, ensure that the Docker image’s R version meets your requirements. Typically, you specify the desired R version in the Dockerfile, ensuring compatibility with your application’s dependencies.
Docker image r-base version >= 4.4
One potential issue arises if the older Conda environments rely on different compiler or library versions that are incompatible with the new R version or other dependencies within the environment. In such cases, addressing compatibility issues may require a solve-by-issue approach, where each problem is tackled individually. This could involve updating dependencies, modifying the environment configuration, or seeking alternative solutions depending on the specific challenges encountered.
We advise you to start testing your workflow on the new version, documenting any warnings or errors that might arise. You can book a Code Clinic with the Research Software Engineering (RSE) team, to discuss your specific workflow and concerns in detail and get hands-on assistance with debugging any errors or adapting your code to the new version.
While CRAN offers some security measures, using a package from CRAN isn’t guaranteed to be entirely-risk free. Always use your best judgement.
Changes in R version 4.4.0 can be found in R News Documentation.
We recommend that you read the documentation for your operating system / chosen operating system package manager (if applicable). If you cannot find an appropriate method, then we recommend starting the update process by either uninstalling the older version of base R or (less preferable) manually deleting the base R files before downloading and installing version >= 4.4.0. The FAQs linked to from https://cloud.r-project.org/ may also be useful.
.Rds / .Rdx) objects from trusted sources; be very wary of such files shared openly on the internet.For queries relating to collaborating with the RSE team on projects: rse@sheffield.ac.uk
Information and access to JADE II and Bede.
Join our mailing list so as to be notified when we advertise talks and workshops by subscribing to this Google Group.
Queries regarding free research computing support/guidance should be raised via our Code clinic or directed to the University IT helpdesk.