SonarSource is pleased to inform you of the releases of SonarQube 8.9.4 LTS and SonarQube 9.2.2.
SonarQube 8.9.3 LTS and SonarQube 9.2.1, which these new releases replace, are not directly susceptible to the Log4J vulnerability (CVE-2021-44228). Nonetheless, out of an abundance of caution these new SonarQube versions update Log4J to a non-vulnerable version and add a JVM property by default to protect the Elasticsearch component.
See SonarQube, SonarCloud, and the Log4J vulnerability for more information.
As usual, download is available at sonarqube.org.