Hello everyone, We are using sonarqube 7.9.5 can any one please let us know if our sonarqube instance impacted by log4j vulnerability mentioned at below link- [image] CVE-2021-44228 - GitHub Advisory Database Remote code injection in Log4j If yes, can anyon…

Hi @sahmed and welcome to the community :wave: Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is: 7.9.5 → 7.9.6 → 8.9.3 → 9.2.1 (last step optional) You may find the Upgrade Guide and the LTS-to-LTS Up…

As this version is not supported anymore i can not make any claim about a version that is EOL. I can only strongly recommend that you should upgrade, because there are other vulnerabilities in this version due to outdated dependencies.

Just to be clear @sahmed , you don’t need to hit 7.9.6 on the way to 8.9.3. You can go directly from 7.9.5 to 8.9.3. Ann

Hi @Tobias_Trabelsi , @ganncamp , We are planning to upgrade our SonarQube insatnces, Could you please let us know if we have any fixed versions released which aree not impacted by both log4j CVE’s (CVE-2021-44228 and CVE-2021-45046)?

Thank You @Tobias_Trabelsi , just to confirm does 8.9.5 addresses both CVE-2021-44228 and CVE-2021-45046? Also can we directly upgrade from 7.9.5 to 8.9.5? or we need to upgrade to intermediate versions first?

Hi, yes, Sonarqube 8.9.5 LTS and 9.2.3 adress both log4shell (CVE-2021-44228) and CVE-2021-45046. You may go straight from 7.9.5 to 8.9.5 As Ann already mentioned when 8.9.4 and 8.9.5 were not yet available. This still stands with 8.9.5 [image] ganncamp: Just to be clear @sahmed , you don’t …

Thank You @anon67236913 this helps :slight_smile:

Is sonarqube 7.9.5 vulnerable to (CVE-2021-44228) log4j vulnerabilities

SonarQube Server / Community Build

Tobias_Trabelsi (Tobias Trabelsi) December 17, 2021, 3:38pm 9

Please take a look at this announcement: SonarQube, SonarCloud, and the Log4J vulnerability

Topic		Replies	Views
SonarQube and CVE-2021-44228 SonarQube Server / Community Build sonarqube , security	3	4726	December 10, 2021
What is the impact of Log4j on the SonarQube version 9.1.0.47736 SonarQube Server / Community Build	3	1303	December 17, 2021
Sonarqube 8.6.x - Log4j vulnerability SonarQube Server / Community Build sonarqube , scanner , azuredevops-services	1	1419	December 16, 2021
How to fix Log4J Vulnerabilities in Sonar 7.9.5 Version SonarQube Server / Community Build sonarqube	1	893	January 6, 2022
Script to patch Log4j vulnerability SonarQube Server / Community Build	4	466	April 14, 2022

Is sonarqube 7.9.5 vulnerable to (CVE-2021-44228) log4j vulnerabilities

Related topics