SonarQube 8.9.4 LTS and 9.2.2 released

Chris · December 14, 2021, 4:19pm

Hi all,

SonarSource is pleased to inform you of the releases of SonarQube 8.9.4 LTS and SonarQube 9.2.2.
SonarQube 8.9.3 LTS and SonarQube 9.2.1, which these new releases replace, are not directly susceptible to the Log4J vulnerability (CVE-2021-44228). Nonetheless, out of an abundance of caution these new SonarQube versions update Log4J to a non-vulnerable version and add a JVM property by default to protect the Elasticsearch component.
See SonarQube, SonarCloud, and the Log4J vulnerability for more information.

SonarQube 8.9.4 release notes are here.
SonarQube 9.2.2 release notes are here.
Please open new threads for any questions you have.

As usual, download is available at sonarqube.org.

Chris

Anthony_Diaz · December 14, 2021, 9:31pm

Does this 9.2.2 version take into account the late breaking news concerning the issues reported with Log4j v2.15 and the latest advice to move to v2.16 (and the fact that the “log4j2.formatMsgNoLookups” parameter does not properly remediate the issue).

See this article for latest guidance stating v2.16 is the correct target. Log4j – Apache Log4j 2

Michael_McCallum · December 14, 2021, 9:38pm

I’m looking at the docker images for 8.9.4 and 9.2.2 for -developer and they both still have 2.11.1 log4j2, can you clarify?

bit01 · December 14, 2021, 9:39pm

I’m curious if this removes log4j versions before 2.15, doing a quick find seems to display the old versions still.

$ find /opt/sonarqube-9.2.2.50622/ -iname *log4j*.jar
/opt/sonarqube-9.2.2.50622/elasticsearch/lib/log4j-api-2.11.1.jar
/opt/sonarqube-9.2.2.50622/elasticsearch/lib/log4j-core-2.11.1.jar

R0Wi · December 15, 2021, 7:13am

Same here, i’m running SonarQube 8.9.4.50575 (sonarqube:lts-developer latest) as docker container, freshly pulled this morning.
A find /opt/sonarqube -name 'log4j*.jar' gives me

/opt/sonarqube/elasticsearch/lib/log4j-core-2.11.1.jar
/opt/sonarqube/elasticsearch/lib/log4j-api-2.11.1.jar

I Also copied the log4j-core-2.11.1.jar from the container to my host machine and it seems like it still contains the vulnerable classfile JndiLookup.class so CVE-2021-45046 still doesn’t seem to be fixed?

In the meantime i’ll use a custom docker image which applies the officially mentioned fix for CVE-2021-45046 when using log4j NOT matching 2.12.2 and 2.16.0:

FROM sonarqube:lts-developer
RUN apk --no-cache add zip \
 && zip -q -d /opt/sonarqube/elasticsearch/lib/log4j-core-2.11.1.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

muhyid · December 15, 2021, 8:24am

This screenshot is from 8.9.4.50575 Community Edition:

ganncamp · December 15, 2021, 12:56pm

Hi all,

Thanks for sharing your concerns. I’ve just posted a new update in the main thread on the topic:

If you have further questions/concerns on the issue, please direct them to that thread; it’s the thread were monitoring.

This thread has already gotten long, and since further posts would likely be about the same/similar concerns - which should be directed to the other^ thread - I’m going to close this thread.

Ann