Can you just confirm the solution provided by Ann is applicable for sonarqube 7.9.5 as well? will it mitigate log4shell vulnerability if i add below line in sonar.properties file for sonarqube 7.9.5?
As this version is not supported anymore i can not make any claim about a version that is EOL. I can only strongly recommend that you should upgrade, because there are other vulnerabilities in this version due to outdated dependencies.
We are planning to upgrade our SonarQube insatnces, Could you please let us know if we have any fixed versions released which aree not impacted by both log4j CVE’s (CVE-2021-44228 and CVE-2021-45046)?
yes, Sonarqube 8.9.5 LTS and 9.2.3 adress both log4shell (CVE-2021-44228) and CVE-2021-45046.
You may go straight from 7.9.5 to 8.9.5
As Ann already mentioned when 8.9.4 and 8.9.5 were not yet available.
This still stands with 8.9.5
As suggested earlier by you guys, we are upgrading sonarqube in our lower environment to 8.9.6 - I wanted few assistance on it - Could you please help us understand what should we do for our installed plugin, In the upgrade guide it says to install the plugins manually again, but i doubt if we freshly install the plugins we will loose the configurations for that plugin and would need to reconfigure it. Please help here.
what plugins do you use ?
When updating from 7.9.5 you first need to check whether your plugins are still compatible
with Sonarqube 8.9.x
Some plugins use hardcoded Sonarqube versions which might cause problems.
Before starting a new Sonarqube version, i put the plugin jars into $SONARQUBE_HOME/extensions/plugins.
I also had one more doubt - as my original post was for remediating log4j shell vulnerability. Could you please let us know if there are any additional steps we need to do after upgrading to 8.9.6 for remediating log4j vulnerability.
WRT to the log4j-core CVEs there is no additional doing needed.
Sonarqube 8.9.6 LTS and 9.2.4 deal with all 3 log4j-core CVEs that are known so far.
In addition to my further answer to your plugin question =
As those plugins are all provided by Sonarsource and builtin in the Sonarqube edition,
you don’t need to do anything but to point your new Sonarqube version to the existing database.
And as always recommended, you should have a backup of your database.