R Programming Bug Exposes Orgs to Vast Supply Chain Risk
-
A critical vulnerability has been identified in the R programming language, posing a significant risk to organizations utilizing this widely popular open-source language. Assigned CVE-2024-27322 with a severity score of 8.8 out of 10, the vulnerability affects R's data deserialization process, used for converting encoded objects (e.g., JSON, XML, binary) back to their original form. Given R's extensive use in various sectors like finance, healthcare, and research, this vulnerability raises concerns about potential attacks via the software supply chain.
Researchers at HiddenLayer discovered a flaw in R's deserialization process, enabling attackers to execute arbitrary code through specially crafted R Data Serialization (RDS) files. These files, commonly used by programmers to store or share R objects, became a vector for exploitation. The vulnerability is rooted in two core concepts of R: lazy evaluation and promise objects, where expressions or variables are evaluated only when needed, aiming to enhance performance.
To address this risk, Schulz advises organizations to upgrade to the latest version of R and raise awareness among users about potential vulnerabilities. Additionally, it's recommended to adopt a policy of using only trusted files and packages. This vulnerability highlights the importance of maintaining vigilance and implementing robust security measures in software development and usage.
ที่มาแหล่งข่าว
https://www.darkreading.com/application-security/r-programming-language-exposes-orgs-to-supply-chain-riskสามารถติดตามข่าวสารได้ที่ webboard หรือ Facebook NCSA Thailand
