Log4j vulnerability - remove the JndiLookup class from the classpath

We are using Sonarqube community version 6.7.3 and exploring fix for log4j vulnerability. We have stick to this version for now and have parallel efforts to go with paid version next year.

One of the solutions proposed by Apache at Log4j – Apache Log4j Security Vulnerabilities is to remove JndiLookup class from the classpath using “zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class” to mitigate Log4J vulnerability. Does Sonarqube support this approach?

Hi @bmaddali ,

The 6.7.3 version is way out of support at this point, so you won’t get an official reply on whether this approach is supported for your version. The best path forward is to upgrade to a patched version of SonarQube (8.9.5 LTS or 9.2.3). There are community versions available for these, so the upgrade to a paid version can still happen next year.




Welcome to the community!

I just want to point out that you can (and should!!) go ahead and upgrade to a current version without moving to a paid edition. And doing the upgrades now in Community Edition will ease your upgrade path to a commercial edition in the new year.

Your upgrade path is:

6.7.3 → 7.9.6 → 8.9.5 → 9.2.3 (last step optional)

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes helpful. If you have questions about upgrading, feel free to open a new thread for that here.