Script to patch Log4j vulnerability

ha.ta · April 11, 2022, 6:44pm

Hello,

We are currently using SonarQube Enterprise 7.9.2 which has been under noncompliance due to Log4J vulnerability issues. While working on building new environments to host the latest version of SonarQube Enterprise (8.9.6 or 9.3), we are looking for a safe way to fix Log4j issues without breaking the current PROD environments. We are asking if you can provide a powershell script to patch the issue for 7.9.2 version. If there is no such script then are there any instructions to fix the issue manually?

Thanks.
Ha Ta

ganncamp · April 11, 2022, 7:12pm

Hi,

Welcome to the community!

We have no fix for you for 7.9.*. Your fix is to upgrade.

Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

7.9.2 → 8.9.8 → 9.4 (last step optional)

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes helpful. If you have questions about upgrading, feel free to open a new thread for that here.

HTH,
Ann

ha.ta · April 12, 2022, 12:51pm

Thanks for your prompt response.

ha.ta · April 14, 2022, 12:25pm

Hi, as I mentioned in my previous post, we’re building a brand new machine to host SonarQube. Can we install 8.9.8 or 9.4 or we have to follow this upgrade path 7.9.2 → 8.9.8 → 9.4 (last step optional)? thanks.

ganncamp · April 14, 2022, 1:53pm

Hi,

You don’t need to install 7.9.2 on the new machine. Just start there with 8.9.8 and point it at the existing DB.

HTH,
Ann