SonarQube, SonarCloud, and the Log4J vulnerability

ganncamp · December 16, 2021, 5:41pm

Hi all,

We’ve just released SonarQube 8.9.5 LTS and 9.2.3 (Latest) to address CVE-2021-45046. In these new versions:

The SonarQube Log4J test dependency is updated to 2.16. This dependency is not used outside of unit testing, nor is it included in the SonarQube distribution. It is not susceptible to the CVEs being reported. Nonetheless, we have upgraded it to eliminate confusion.
The Elasticsearch component is updated to its latest bug fix version, 7.16.1, which removes the potentially problematic components of Log4J. Additionally, it should be noted that SonarQube programmatically adds the log4j2.formatMsgNoLookups=true JVM property on starting up Elasticsearch.
More explanations from Elasticsearch here.

Note that the LTS and the Latest are the only two supported versions. All other versions are past EOL. Please update to one of the two supported versions as soon as you can.

Ann

Topic		Replies	Views
SonarQube 8.9.5 LTS and 9.2.3 released Releases sonarqube	2	4031	December 16, 2021
SonarQube 8.9.6 LTS and 9.2.4 released Releases sonarqube	2	8479	December 21, 2021
SonarQube and CVE-2021-44228 SonarQube Server / Community Build sonarqube , security	3	4644	December 10, 2021
SonarQube 8.9.4 LTS and 9.2.2 released Releases sonarqube	8	6189	December 15, 2021
Elstic Search Log4j SonarQube Server / Community Build sonarqube , scanner	1	838	July 15, 2022

SonarQube, SonarCloud, and the Log4J vulnerability

Related topics