是否有 r 包受到当前 log4j / CVE-2021-44228 安全问题的影响?
Are there r packages affected by the current log4j / CVE-2021-44228 security issue?
RStudio has confirmed that it is not affected by the current log4j / CVE-2021-44228 安全问题。但是,我还不清楚是否有任何 r 包具有 log4j 依赖性。我对 tidyverse 包和其他广泛使用的包最感兴趣,例如 xlsx 包。
讨论如何检测安装的 r 包是否具有 Java 依赖性。
可能不会。
唯一会 a priori 受到影响的包将是那些直接或间接依赖于 Java 组件的包,因为 log4j 漏洞本身只影响 Java 使用 log4j Java 包的代码。
Bob Rudis 扫描了托管在 CRAN 和 posted the results on the R-pkg-devel mailing list:
上的包中的潜在漏洞
I've scanned all of CRAN with —
https://github.com/mergebase/log4j-detector — (and looked for the
log4j v2 jar directly) and it's all good […]
The odds of any R environment being impacted by this vulnerability
were super slim (to almost none) to begin with and — if the tool is
accurate — it's 0.
您还可以在任何安装位置使用以下脚本进行验证:
find . -name '*.jar' | grep -i 'log4j-' | xargs grep 'JndiLookup'
确定受影响的 jar 后,您可以使用以下脚本进行更正:
find . -name 'log4j-core-2.[0-9].*jar' | while read dir;do zip -q -d $dir org/apache/logging/log4j/core/lookup/JndiLookup.class; echo $dir ; done
RStudio has confirmed that it is not affected by the current log4j / CVE-2021-44228 安全问题。但是,我还不清楚是否有任何 r 包具有 log4j 依赖性。我对 tidyverse 包和其他广泛使用的包最感兴趣,例如 xlsx 包。
可能不会。
唯一会 a priori 受到影响的包将是那些直接或间接依赖于 Java 组件的包,因为 log4j 漏洞本身只影响 Java 使用 log4j Java 包的代码。
Bob Rudis 扫描了托管在 CRAN 和 posted the results on the R-pkg-devel mailing list:
上的包中的潜在漏洞I've scanned all of CRAN with — https://github.com/mergebase/log4j-detector — (and looked for the log4j v2 jar directly) and it's all good […]
The odds of any R environment being impacted by this vulnerability were super slim (to almost none) to begin with and — if the tool is accurate — it's 0.
您还可以在任何安装位置使用以下脚本进行验证:
find . -name '*.jar' | grep -i 'log4j-' | xargs grep 'JndiLookup'
确定受影响的 jar 后,您可以使用以下脚本进行更正:
find . -name 'log4j-core-2.[0-9].*jar' | while read dir;do zip -q -d $dir org/apache/logging/log4j/core/lookup/JndiLookup.class; echo $dir ; done