Hi all,
As stated earlier, current supported versions of SonarQube are not vulnerable to this attack. Nonetheless, out of an abundance of caution and to alleviate fears, we’ve released updates to the Latest and the LTS that update Log4J to a non-vulnerable version and that add the JVM property by default.
Please see the official announcement for details: SonarQube 8.9.4 LTS and 9.2.2 released
If you have any concerns, you should upgrade to the newly-released 8.9.4 LTS or 9.2.2 (latest) immediately. No other versions are supported, and as such have not been examined w/r/t the Log4J vulnerability.
We will not be releasing Log4J patches to any other versions, nor will we be examining/testing other versions for vulnerability to the Log4J exploit. Thus, we cannot answer your questions about other versions. If you’re worried, you should upgrade to a supported version immediately.
Ann