Hello, SonarQube is using log4j. Today I learned about the critical vulnerability CVE-2021-44228. We are using SonarQube 8.7.1 which uses a vulnerable version of log4j (2.8.2). Do you have any suggestion how to mitigate the risk? Is replacing log4j-api-2.8.2.jar with a new version of the jar file g…

SonarQube and CVE-2021-44228

ganncamp (G Ann Campbell) December 10, 2021, 8:03pm 2

Hi,

Here’s what you’re looking for:

Ann