Sonarqube affected by ghostcat CVE?

anon67236913 · March 5, 2020, 12:59pm

Hi,

just to be sure, as this came up recently.
Is Sonarqube affected by this CVE due to embedded Tomcat ?

Gilbert

Colin · March 5, 2020, 1:08pm

SonarQube should not be affected as we don’t use the AJP protocol – still, SonarQube will bump the version of Tomcat up in SonarQube v8.3 to remove any risk and also stop showing up on security reports.

pierreguillot · March 5, 2020, 2:14pm

We specifically removed the support for the AJP since SonarQube 6.1, with SONAR-7989

Still, as Colin pointed out, the fix is already merged on master and will be available with 8.3.

anon67236913 · March 5, 2020, 2:27pm

@Colin, @pierreguillot

Thanks for the details!

Topic		Replies	Views
Sonarqube 9.7 has tomcat 9.0.62 embedded, but CVE-2022-29885 affects tomcat 9.0.62 SonarQube Server / Community Build cve	2	866	November 7, 2022
How do we update default Tomcat SonarQube Server / Community Build	5	686	April 19, 2024
Is Sonarqube affected by CVE-2020-9484? SonarQube Server / Community Build sonarqube , security	6	483	August 31, 2020
Which SonarQube Community Version mitigates CVE-2024-34750 SonarQube Server / Community Build sonarqube	7	160	August 6, 2024
Tomcat vulnerability SonarQube Server / Community Build security	12	1490	November 18, 2020

Sonarqube affected by ghostcat CVE?

Related topics