CVE-2022-22970, CVE-2022-22971 Vulnerabilities in SonarQube 8.9 LTS

Mohan_Manokaran · May 9, 2023, 5:38am

Hi All,
We are using Sonarqube EE 8.9 LTS and we have got the following vulnerabilities. May I know is this really vulnerable for non-public faced Sonarqube instance? if yes how to fix this?

Vulnerability Information:

CVEs: CVE-2022-22970, CVE-2022-22971

Title: Spring Framework Denial of Service (DoS) Vulnerability

Paths
/opt/sonar/sonarqube-8.9.10.61524/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/spring-core-5.2.13.RELEASE.jar
/opt/sonar/sonarqube-8.9.10.61524/temp/ce-exploded-plugins/securityjavafrontend/META-INF/lib/spring-core-5.2.13.RELEASE.jar

Andrea_Pancrazi · May 9, 2023, 12:07pm

Dear Mohan Manokaran,

Thank you for bringing these vulnerabilities to our attention. We take security very seriously and appreciate your efforts in helping us to maintain a secure product.

On this occasion, the reported findings affect SonarQube EE 8.9 LTS.
As per our patch policy, we support only 2 versions of SonarQube: the LTS and the latest .
As soon as a more recent version of SonarQube exists, we stop patching old non-LTS versions of SonarQube. We therefore highly recommend that you update to the latest SonarQube 9.9 LTS Enterprise Edition to ensure that your environment is protected against any known vulnerabilities.

Please do continue to report any vulnerabilities you find in future using our process.

How to report a vulnerability responsibly:

Follow this guide if you’ve found a vulnerability in one of SonarSource’s products or websites and you want to responsibly report it.
SonarSource customers with a support contract can report the vulnerability directly through the support channel.
Otherwise, send an email to security@sonarsource.com.

What we need from you:

Detail the steps you followed that make the vulnerability exploitable including any URLs or code you used. The more information you provide, the faster we can reproduce and fix the problem.
Please don’t send PDF, DOC, or EXE files or reports generated by DAST products. We will not look at them. We do accept images.

Focus areas:

Cross-site scripting (XSS)
SQL injection (SQLi)
Cross-site request forgery (CSRF)
Remote code execution (RCE)
Cookies not used for authentication or CSRF protection, not being marked as Secure or HTTPOnly
Data breaches, such as data of private projects or private organizations on SonarCloud.

Public disclosure

You need to get our permission before disclosing an issue publicly. We’ll only consider your public disclosure request after we’ve fixed the reported vulnerability.

Regards,

Topic		Replies	Views
CVE-2022-42889 effect on SonarQube SonarQube Server / Community Build security , cve	27	6757	November 25, 2022
Is there "official" sonarqube documentation that states version 9.9 is NOT impacted by CVE-2022-4288 SonarQube Server / Community Build	5	890	May 24, 2023
Is CVE-2022-42889, AKA Text4Shell vulnerability impacting SonarQube SonarQube Server / Community Build security , cve	1	1481	October 21, 2022
Dependencies Vulnerabilities Sonarqube Community 9.9 SonarQube Server / Community Build sonarqube	1	308	February 16, 2024
Sonarqube vulnurability CVE-2020 SonarQube Server / Community Build	3	468	August 25, 2021

CVE-2022-22970, CVE-2022-22971 Vulnerabilities in SonarQube 8.9 LTS

Related topics