Sonarqube 8.6.x - Log4j vulnerability

Devendran · December 16, 2021, 6:02pm

Hi Team,

With regards to recent events with globally reported Log4j vulnerability (CVE-2021-45046 and CVE-2021-44228).

We are currently using Sonarqube DE 8.6.1.40680. And it has the following two plugins with log4j.

Elastic search
sonarqube-developer-8.6.1.40680/sonarqube-8.6.1.40680/elasticsearch/config/log4j2.properties
sonarqube-developer-8.6.1.40680/sonarqube-8.6.1.40680/elasticsearch/lib/log4j-api-2.11.1.jar
sonarqube-developer-8.6.1.40680/sonarqube-8.6.1.40680/elasticsearch/lib/log4j-core-2.11.1.jar
Sonarqube unit tests
sonarqube-developer-8.6.1.40680/sonarqube-8.6.1.40680/lib/common/log4j-api-2.8.2.jar
sonarqube-developer-8.6.1.40680/sonarqube-8.6.1.40680/lib/common/log4j-to-slf4j-2.8.2.jar

Can you please provide details on the impacts to 8.6.x?

Should we upgrade this to the latest version or any mitigation available for this?

Regards,
Deva

DefinitelyNotTobi · December 16, 2021, 9:36pm

Hi @Devendran and welcome to the community

you can follow this thread for more information about the current log4j CVE and SonarQube.
Your version is EOL tho. The current supported versions of SonarQube are 8.9.x and 9.2

hope that helps

Topic		Replies	Views
SonarQube and CVE-2021-44228 SonarQube Server / Community Build sonarqube , security	3	4644	December 10, 2021
SonarQube, SonarCloud, and the Log4J vulnerability Sonar Updates	163	86393	October 11, 2022
Elstic Search Log4j SonarQube Server / Community Build sonarqube , scanner	1	838	July 15, 2022
SonarQube 8.9.6 LTS and 9.2.4 released Releases sonarqube	2	8479	December 21, 2021
Hi, We have now the latest version of Sonaeqube 8.9.5 LTS but the log4j version is on 2.16. Is there any plan to upgrade log4j to 2.17. Is log4j version 2.16 are vulnerable? SonarQube Server / Community Build 8-9-lts-upgrade	2	1324	December 22, 2021

Sonarqube 8.6.x - Log4j vulnerability

Related topics