SonarQube 8.9.5 LTS and 9.2.3 released

Chris · December 16, 2021, 5:38pm

Hi all,

SonarSource is pleased to inform you of the releases of SonarQube 8.9.5 LTS and SonarQube 9.2.3.

Given the newly reported CVE-2021-45046 about Log4J, and out of an abundance of caution, we have released 2 new SonarQube updates:

The SonarQube Log4J test dependency is updated to 2.16. This dependency is not used outside of unit testing, nor is it included in the SonarQube distribution. It is not susceptible to the CVEs being reported. Nonetheless, we have upgraded it to eliminate confusion.
The Elasticsearch component is updated to its latest bug fix version, 7.16.1, which removes the potentially problematic components of Log4J. Additionally, it should be noted that SonarQube programmatically adds the log4j2.formatMsgNoLookups=true JVM property on starting up Elasticsearch. More explanations from Elasticsearch here.

SonarQube 8.9.5 release notes are here.
SonarQube 9.2.3 release notes are here.

Please create new posts on SonarQube, SonarCloud, and the Log4J vulnerability for any questions/concerns on the Log4J topic.

Chris

Topic		Replies	Views
SonarQube, SonarCloud, and the Log4J vulnerability Sonar Updates	163	86357	October 11, 2022
SonarQube 8.9.6 LTS and 9.2.4 released Releases sonarqube	2	8466	December 21, 2021
SonarQube 8.9.4 LTS and 9.2.2 released Releases sonarqube	8	6183	December 15, 2021
Hi, We have now the latest version of Sonaeqube 8.9.5 LTS but the log4j version is on 2.16. Is there any plan to upgrade log4j to 2.17. Is log4j version 2.16 are vulnerable? SonarQube Server / Community Build 8-9-lts-upgrade	2	1324	December 22, 2021
SonarQube and CVE-2021-44228 SonarQube Server / Community Build sonarqube , security	3	4641	December 10, 2021