jnayineni
December 20, 2021, 10:37am
1
Hi, We have now the latest version of Sonaeqube 8.9.5 LTS but the log4j version is on 2.16. Is there any plan to upgrade log4j to 2.17. Is log4j version 2.16 are vulnerable?
2 Likes
Michael
December 22, 2021, 10:17am
2
Hello,
Please have a look at these threads, version 8.9.6 has already been released and embeds log4j 2.17.
Hi all,
SonarSource is pleased to inform you of the releases of SonarQube 8.9.6 LTS and SonarQube 9.2.4.
We have released 2 new SonarQube updates to eliminate confusion and avoid false positives in relation to Log4J that may arise from vulnerability scanning tools in regards to CVE-2021-45046 , CVE-2021-44228 and CVE-2021-45105 .
The SonarQube Log4J test dependency is updated to 2.17. This dependency is not included in the SonarQube distribution and is not susceptible to these CVEs.
The Elasti…
And for the consequences of the log4j vulnerabilities, the following thread will keep you up to date with what we do.
Update 21 December 2021
Hi all,
We’ve just released SonarQube 8.9.6 LTS and 9.2.4 (Latest) to eliminate confusion and avoid false-positive from vulnerability scanning tools in regards to: CVE-2021-45046 , CVE-2021-44228 and CVE-2021-45105 .
In these new versions, the Elasticsearch component is updated to its latest bugfix version, 7.16.2, which updates the packaged Log4J dependency to 2.17.
Note: Although our security researchers have not found the previous SonarQube LTS (8.9.3, 8.9.4 or 8.9.5…
1 Like