Is sonarqube 7.9.5 vulnerable to (CVE-2021-44228) log4j vulnerabilities

Hi @sahmed and welcome to the community :wave:

Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

7.9.5 → 7.9.6 → 8.9.3 → 9.2.1 (last step optional)

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes helpful. If you have questions about upgrading, feel free to open a new thread for that here.

for general information about CVE-2021-44228 you can read our announcement here.

Hi Tobias,

Thank You for your reply and providing us the details on upgrading sonarqube.

I have went through the link (SonarQube, SonarCloud, and the Log4J vulnerability) provided by you in your previous mail - the link only mentions SonarQube LTS 8.9.x and SonarQube 9.2.1.

Can you just confirm the solution provided by Ann is applicable for sonarqube 7.9.5 as well? will it mitigate log4shell vulnerability if i add below line in sonar.properties file for sonarqube 7.9.5?

sonar.search.javaAdditionalOpts=-Dlog4j2.formatMsgNoLookups=true

Thank You,
Saad.

As this version is not supported anymore i can not make any claim about a version that is EOL. I can only strongly recommend that you should upgrade, because there are other vulnerabilities in this version due to outdated dependencies.

1 Like

Just to be clear @sahmed, you don’t need to hit 7.9.6 on the way to 8.9.3. You can go directly from 7.9.5 to 8.9.3.

 
Ann

1 Like

A post was merged into an existing topic: How to add Azure AD SSO for sonarqube 9.2 developer edition

Thank You @ganncamp

Hi @Tobias_Trabelsi , @ganncamp ,

We are planning to upgrade our SonarQube insatnces, Could you please let us know if we have any fixed versions released which aree not impacted by both log4j CVE’s (CVE-2021-44228 and CVE-2021-45046)?

Please take a look at this announcement: SonarQube, SonarCloud, and the Log4J vulnerability

Thank You @Tobias_Trabelsi , just to confirm does 8.9.5 addresses both CVE-2021-44228 and CVE-2021-45046?

Also can we directly upgrade from 7.9.5 to 8.9.5? or we need to upgrade to intermediate versions first?

Hi,

yes, Sonarqube 8.9.5 LTS and 9.2.3 adress both log4shell (CVE-2021-44228) and CVE-2021-45046.
You may go straight from 7.9.5 to 8.9.5
As Ann already mentioned when 8.9.4 and 8.9.5 were not yet available.
This still stands with 8.9.5

Gilbert

1 Like

Thank You @Rebse this helps :slight_smile:

Hello All,

Can you please suggest the upgrade path for 7.9.4 to 8.9.5 version. Can I directly upgrade to 8.9.5.

Regards
Ritesh Behl

Yes, you can go directly to 8.9.5.

Hi,

yes it’s straight from former LTS 7.9.x to current LTS 8.9.x
You should use the latest 8.9.6 LTS released yesterday.

Gilbert

Hello All,

As suggested earlier by you guys, we are upgrading sonarqube in our lower environment to 8.9.6 - I wanted few assistance on it - Could you please help us understand what should we do for our installed plugin, In the upgrade guide it says to install the plugins manually again, but i doubt if we freshly install the plugins we will loose the configurations for that plugin and would need to reconfigure it. Please help here.

Hi,

what plugins do you use ?
When updating from 7.9.5 you first need to check whether your plugins are still compatible
with Sonarqube 8.9.x
Some plugins use hardcoded Sonarqube versions which might cause problems.
Before starting a new Sonarqube version, i put the plugin jars into $SONARQUBE_HOME/extensions/plugins.

Gilbert

Hi @Rebse , Please find the attached screenshots showing the plugins within our sonar-qube prod environment.



As those plugins are all provided by Sonarsource, their configuration is persisted in Sonarqube
database and i see no problems for your update.

2 Likes

Hi @Rebse ,

Thank You for the confirmation!!!

I also had one more doubt - as my original post was for remediating log4j shell vulnerability. Could you please let us know if there are any additional steps we need to do after upgrading to 8.9.6 for remediating log4j vulnerability.

WRT to the log4j-core CVEs there is no additional doing needed.
Sonarqube 8.9.6 LTS and 9.2.4 deal with all 3 log4j-core CVEs that are known so far.

In addition to my further answer to your plugin question =
As those plugins are all provided by Sonarsource and builtin in the Sonarqube edition,
you don’t need to do anything but to point your new Sonarqube version to the existing database.
And as always recommended, you should have a backup of your database.

1 Like