Hi @kafeel ,
we created a specific post to address this Log4J vulnerability: SonarQube, SonarCloud, and the Log4J vulnerability
It’s recommended to update to 8.9.6 to really be certain there will be no more issue, even if 8.9.4 could be enough. A good practice in general is to always be on the last LTS version (8.9.X with the last X possible) or latest version (9.2/9.3…).
Carine