Hi, We have now the latest version of Sonaeqube 8.9.5 LTS but the log4j version is on 2.16. Is there any plan to upgrade log4j to 2.17. Is log4j version 2.16 are vulnerable?

Michael (Michael Gumowski) December 22, 2021, 10:17am 2

Hello,

Please have a look at these threads, version 8.9.6 has already been released and embeds log4j 2.17.

And for the consequences of the log4j vulnerabilities, the following thread will keep you up to date with what we do.

1 Like

Topic		Replies	Views
SonarQube, SonarCloud, and the Log4J vulnerability Sonar Updates	163	86400	October 11, 2022
SonarQube and CVE-2021-44228 SonarQube Server / Community Build sonarqube , security	3	4644	December 10, 2021
SonarQube 8.9.6 LTS and 9.2.4 released Releases sonarqube	2	8482	December 21, 2021
SonarQube 8.9.4 LTS and 9.2.2 released Releases sonarqube	8	6190	December 15, 2021
What is the impact of Log4j on the SonarQube version 9.1.0.47736 SonarQube Server / Community Build	3	1251	December 17, 2021