Hi all,
SonarSource CTO Andrea Malagodi asked me to post this statement:
Hi all,
To be clear, at this time our security researchers have not found SonarQube LTS (8.9.3 or 8.9.4) or latest (9.2.1 or 9.2.2) to be susceptible to any of the CVE’s in relation to Log4j (CVE-2021-45046 and CVE-2021-44228).
Since the situation is evolving and new findings are coming out, we wanted to share an update that we hope will put to rest any concerns you may have.
In SonarQube there are two instances of Log4J:
- One is used by SonarQube’s unit tests and is not used outside of unit testing or included in the SonarQube distribution. This test dependency is not susceptible to the CVEs being reported. Nonetheless, we plan to update it.
- The other is packaged with Elasticsearch.
We are working closely with Elasticsearch and yesterday’s releases, 9.2.2 and 8.9.4 LTS, apply the mitigation they recommended at the time (
log4j2.formatMsgNoLookups=trueJVM property).Given the newly reported CVE-2021-45046, we are working to adopt Elasticsearch’s forthcoming update and issue new releases with those changes as soon as possible.
The situation is clearly still developing and we remain focused on addressing the issue as thoroughly and quickly as possible and on providing you with relevant updates as soon as we can.
Andrea Malagodi,
CTO, SonarSource
Ann