Log4j 2 security issue

The latest SonarQube seems to include log4j 2 as Elasticsearch dependency.
A pretty bad RCE has been found in log4j 2, see Log4Shell: RCE 0-day exploit found in log4j, a popular Java logging package | LunaSec and it is likely this could be exploited in some way through SonarQube.

I was wondering if and when patches will be available?

I would have asked this through some kind of private channel, but Sonar does not provide any support not can security contacts be found anywhere (which is quite a bad security posture for an organisation developing a SAST, tbh).

Hi @MikeN ,

we are aware of this report and are currently evaluating the impact of this finding.

in regards of your other question: we have a responsible disclosure guide here, which would be the correct way to report this finding.
I have unlisted your post until we are done with the evaluation. after that i will relist this thread with a update message

Thanks. I failed to check the well-known location, and a community post for your responsible disclosure guide is basically unfindable through Google. I would really suggest to also include a link somewhere on your website, like on Contact | SonarSource as that is where people will be looking if they want ot contact you regarding something.

2 Likes

Hi @MikeN ,

we published a statement regarding this log4j vulnerability here: SonarQube and the Log4J vulnerability

with that i am relisting this thread.