SonarQube and CVE-2021-44228

Hello,

SonarQube is using log4j. Today I learned about the critical vulnerability CVE-2021-44228. We are using SonarQube 8.7.1 which uses a vulnerable version of log4j (2.8.2). Do you have any suggestion how to mitigate the risk? Is replacing log4j-api-2.8.2.jar with a new version of the jar file going to help?

Thank you,
Armenak

Hi,

Here’s what you’re looking for:

 
Ann

Thank you Ann. But what property I should add to sonar.properties file?

It’s in the post. Just click through.

 
:smiley:
Ann