SonarQube affected by Java CVE-2022-21449 relating to ECDSA signatures?

Oracle announced a new high-profile bug and fix yesterday. Can you advise on how we should patch our self-managed SonarQube instance please?



Hi, no news on this matter whatsoever. Is the self host SonarQube servers affected by this vulnerability?

Hey all.

As noted in the Requirements, SonarQube is only supported as running on Java 11, which appears to not be affected by CVE-2022-21449.

In any case, users must bring their own JVM that runs SonarQube, and therefore can always make sure they are running the latest version (with the latest security patches)

1 Like

We believe we are not affected by the CVE-2022-21449 vulnerability, even if an affected JRE is used.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.