Log4j - Will Removing Env Vars Fix In Lieu Of Upgrade

Hey Sonar Community:

Would like to know if following steps to remove environment variables from Log4j on SQ version Community Edition * Version 7.9.1 (build 27448) has same effect - think the answer is yes but want to confirm removal of those will not adversely impact the app.

Would use the fixes noted here - Quick fix for log4j vulnerability using environment variables – iamroot.it.

Has anyone done same on any version of SQ & was it a good outcome?


Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

7.9.1 → 8.9.6 → 9.3 (last step optional)

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes helpful. If you have questions about upgrading, feel free to open a new thread for that here.


I’m parking the upgrade for now - immediate need is a response on log4j & if changes to env vars will bump into SQube