Hello altogether,
we are using SonarQube 8.9.6.
Our IT security department periodically runs some scans on our systems for recent vulnerabilities.
They identified an unsafe logback library in two jar files, which may allow an attacker remote code execution. (according to CVE-2021-42550)
Found CVE-2021-42550 (logback 1.2.7) vulnerability in C:\Program Files (x86)\sonarqube-8.9.6.50800\lib\scanner\sonar-scanner-engine-shaded-8.9.6.50800-all.jar, logback 1.2.3
Found CVE-2021-42550 (logback 1.2.7) vulnerability in C:\Program Files (x86)\sonarqube-8.9.6.50800\lib\sonar-application-8.9.6.50800.jar, logback 1.2.3
Are there any plans to update the logback library in a future release of SonarQube?
Or is there anything we can do on our own to mitigate the risk?
Thanks in advance for your assistance.
Regards Alexander
PS: I’m not talking about the log4j issue that has already been solved with SonarQube 8.9.6.
Sorry for the delay. We’ve upgraded the library in 9.3 just to stay up to date, but this won’t be patched in the LTS because our security researchers feel the risk from Logback is truly minimal:
An attacker being able to override the logback configuration (path traversal, unsafe file upload, …) could probably also be able to modify other files to gain remote code execution. They would not even have to use the JNDI connector, and could simply use the FileAppender to override a system file.
Hi Ann,
thanks for the clarification.
I will discuss with my team whether we switch from the LTS to the latest version or just live with the vulnerability since it is only a minimal risk.