SonarQube, SonarCloud, and the Log4J vulnerability

Do you mean log4j-api-2.11.1? That one is safe (so far).
It is only log4j-core that contains the vulnerable class.

I was referring to all the discussion about “[CVE-2021-45046, [CVE-2021-44228 ], and CVE-2021-44228”.
All the discussion states 8.9 and 9.2 are okay, but no mention about 9.1

There’s no mention to it because it’s not supported. :wink: The only supported versions are LTS (8.9.x) and the latest 9.2 release.

4 Likes

A post was split to a new topic: SonarQube doesn’t start with an error message about Eleasticsearch

Hi,
Do you have more info about the CVE-2021-44832 vulnerability? CVE-2021-44832: A Medium Severity Was Found in Log4j
so upgrade to log4j 2.17.1?

thanks

Vincent

Not a sonarsource employee, but:

In order to exploit CVE-2021-44832 you already have to have a bad actor on your network and/or your server with the configuration file is badly configured. You will have way worse things to worry about and mitigate than this theoretical exploit (aka your network is totally owned).

This was a badly assigned CVE from security researchers hungry to hop onto the log4j bandwagon and grab some fame imo…

Where I work we will upgrade from 2.17.0 possibly in a few months in the next regular maintenance/module dependency upgrade period. Unless a real security vulnerability pops up.

9 Likes

flagging vulneraibility of file elasticsearch-sql-cli-7.12.1.jar (CVE-2021-44228 )

Hello Sonar team, I updated the core and api log4j jars for new versions but now I am getting flagged because another possible “vulnerable” file exists in the Sonarqube repository:

sonarqube-8.9.1\elasticsearch\bin\elasticsearch-sql-cli-7.12.1.jar – Vulnerable to CVE-2021-44228 or CVE-2021-45046

I am thinking to just delete that file since it contains an embedded version of log4j-2.14. since I don’t think this tool is actively used by sonar.

Can you confirm is safe to remove that file and it won’t impact the proper operation of Sonarqube?

Thanks

Version: Enterprise Edition Version 8.9.1 (build 44547)

**Can’t upgrade those weeks cause we have an issue with the DB need your confirmation on this please!

Hi @ivette07mar ,

Rather than butchering your current SonarQube install, your quickest way to address those vulnerabilities is to upgrade to 8.9.6 LTS where this is fixed. This version has no new functionality compared to yours, only security fixes, so an update should have no side effects that you’d otherwise need to mitigate.

4 Likes

Hello,

Any tentative date for new release which will have log4j 2.17.1 version.

Thanks,
Gajanan

Hi @gajju26,

Welcome to the community!

We anticipate releasing 9.3 on 31 January 2022.

 
HTH,
Ann

2 Likes

Thanks for the update!!! I am looking forward to contribute in this community.

Thanks,
Gajanan

2 Likes

Hi Ann,

Will there also be a version 8.9.7 LTS available january 31st too ?

Thanks,

Jeff

Hi Jeff,

It’s a fair question, but I don’t think so. I’m sure that will be included in the next LTS release, but we’re releasing 9.3 at the end of the month as a regularly-scheduled release, which also addresses this minor security question as a means to avoiding false positives. We’re not releasing it to address log4j 2.17.1.

 
HTH,
Ann

2 Likes

Thanks for the quick reply Ann !

Jeff

A post was split to a new topic: Elasticsearch failure on startup

Hi All,

I am using community edition version 7.1 and its have log4j vulnerability (sonarqube\elasticsearch\lib\log4j-core-2.9.1.jar ). how can I upgrade it for latest version. is there any document or guideline on it

Thanks
Sanjeev

Welcome :slight_smile:

yes, see Before You Upgrade | SonarQube Docs
In your case it’s either
7.1 > 7.9.6 (former LTS) > 8.9.6 (current LTS)
or even
7.1 > 7.9.6 (former LTS) > 8.9.6 (current LTS) > 9.3.0 (latest version)

See Download | SonarQube and scroll down for historical versions.

Gilbert

3 Likes

Hi Ann,

any plans to release 8.9 LTS with log4j 2.17.1?

Thanks,
Rukesh.

Hi Rukesh,

To be clear, our security researchers have found no way to exploit the Log4J vulnerabilities in any of the 8.9 point versions.

The latest releases of SonarQube - including the LTS - don’t use Log4J directly. The embedded Elasticsearch does contain Log4J but there is no vulnerability in the way Elasticsearch uses it. So we do not plan to upgrade Elasticsearch in the LTS.

 
HTH,
Ann

2 Likes

Thanks Ann,

Currently we have sonarqube 8.9.0.43852, we can upgrade it to latest patch 8.9.6 LTS?
we have to do http://yourSonarQubeServerURL/setup or not required?

Thanks,
Rukesh.