Important: R

2024-06-1918:46:00

alas.aws.amazon.com

r statistical language

deserialization vulnerability

arbitrary code execution

system update

red hat

mitre

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

7.4

Confidence

Low

JSON

Issue Overview:

Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with. (CVE-2024-27322)

Affected Packages:

Issue Correction:
Run yum update R to update your system.

New Packages:

i686:  
    libRmath-static-3.4.1-1.53.amzn1.i686  
    R-core-devel-3.4.1-1.53.amzn1.i686  
    R-devel-3.4.1-1.53.amzn1.i686  
    R-java-3.4.1-1.53.amzn1.i686  
    R-3.4.1-1.53.amzn1.i686  
    R-java-devel-3.4.1-1.53.amzn1.i686  
    R-core-3.4.1-1.53.amzn1.i686  
    libRmath-3.4.1-1.53.amzn1.i686  
    libRmath-devel-3.4.1-1.53.amzn1.i686  
    R-debuginfo-3.4.1-1.53.amzn1.i686  
  
src:  
    R-3.4.1-1.53.amzn1.src  
  
x86_64:  
    libRmath-static-3.4.1-1.53.amzn1.x86_64  
    libRmath-devel-3.4.1-1.53.amzn1.x86_64  
    R-3.4.1-1.53.amzn1.x86_64  
    R-devel-3.4.1-1.53.amzn1.x86_64  
    R-java-devel-3.4.1-1.53.amzn1.x86_64  
    R-java-3.4.1-1.53.amzn1.x86_64  
    R-core-3.4.1-1.53.amzn1.x86_64  
    R-core-devel-3.4.1-1.53.amzn1.x86_64  
    libRmath-3.4.1-1.53.amzn1.x86_64  
    R-debuginfo-3.4.1-1.53.amzn1.x86_64

Additional References

Red Hat: CVE-2024-27322

Mitre: CVE-2024-27322

OSVersionArchitecturePackageVersionFilename
Amazon Linux1i686librmath-static< 3.4.1-1.53.amzn1libRmath-static-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux1i686r-core-devel< 3.4.1-1.53.amzn1R-core-devel-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux1i686r-devel< 3.4.1-1.53.amzn1R-devel-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux1i686r-java< 3.4.1-1.53.amzn1R-java-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux1i686r< 3.4.1-1.53.amzn1R-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux1i686r-java-devel< 3.4.1-1.53.amzn1R-java-devel-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux1i686r-core< 3.4.1-1.53.amzn1R-core-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux1i686librmath< 3.4.1-1.53.amzn1libRmath-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux1i686librmath-devel< 3.4.1-1.53.amzn1libRmath-devel-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux1i686r-debuginfo< 3.4.1-1.53.amzn1R-debuginfo-3.4.1-1.53.amzn1.i686.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	i686	librmath-static	< 3.4.1-1.53.amzn1	libRmath-static-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux	1	i686	r-core-devel	< 3.4.1-1.53.amzn1	R-core-devel-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux	1	i686	r-devel	< 3.4.1-1.53.amzn1	R-devel-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux	1	i686	r-java	< 3.4.1-1.53.amzn1	R-java-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux	1	i686	r	< 3.4.1-1.53.amzn1	R-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux	1	i686	r-java-devel	< 3.4.1-1.53.amzn1	R-java-devel-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux	1	i686	r-core	< 3.4.1-1.53.amzn1	R-core-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux	1	i686	librmath	< 3.4.1-1.53.amzn1	libRmath-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux	1	i686	librmath-devel	< 3.4.1-1.53.amzn1	libRmath-devel-3.4.1-1.53.amzn1.i686.rpm
Amazon Linux	1	i686	r-debuginfo	< 3.4.1-1.53.amzn1	R-debuginfo-3.4.1-1.53.amzn1.i686.rpm