Hi,
only log4j-core is affected by log4shell (CVE-2021-44228) and CVE-2021-45046.
Just downloaded sonarqube-enterprise-8.9.5.50698 and sonarqube-enterprise-9.2.3.50713
The …/elasticsearch/lib/log4j-core-2.11.1.jar is removed, so all fine.
Gilbert
5 Likes