Is sonarqube 7.9.5 vulnerable to (CVE-2021-44228) log4j vulnerabilities

WRT to the log4j-core CVEs there is no additional doing needed.
Sonarqube 8.9.6 LTS and 9.2.4 deal with all 3 log4j-core CVEs that are known so far.

In addition to my further answer to your plugin question =
As those plugins are all provided by Sonarsource and builtin in the Sonarqube edition,
you don’t need to do anything but to point your new Sonarqube version to the existing database.
And as always recommended, you should have a backup of your database.

1 Like