flagging vulneraibility of file elasticsearch-sql-cli-7.12.1.jar (CVE-2021-44228 )
Hello Sonar team, I updated the core and api log4j jars for new versions but now I am getting flagged because another possible “vulnerable” file exists in the Sonarqube repository:
sonarqube-8.9.1\elasticsearch\bin\elasticsearch-sql-cli-7.12.1.jar – Vulnerable to CVE-2021-44228 or CVE-2021-45046
I am thinking to just delete that file since it contains an embedded version of log4j-2.14. since I don’t think this tool is actively used by sonar.
Can you confirm is safe to remove that file and it won’t impact the proper operation of Sonarqube?
Thanks
Version: Enterprise Edition Version 8.9.1 (build 44547)
**Can’t upgrade those weeks cause we have an issue with the DB need your confirmation on this please!
Rather than butchering your current SonarQube install, your quickest way to address those vulnerabilities is to upgrade to 8.9.6 LTS where this is fixed. This version has no new functionality compared to yours, only security fixes, so an update should have no side effects that you’d otherwise need to mitigate.
It’s a fair question, but I don’t think so. I’m sure that will be included in the next LTS release, but we’re releasing 9.3 at the end of the month as a regularly-scheduled release, which also addresses this minor security question as a means to avoiding false positives. We’re not releasing it to address log4j 2.17.1.
I am using community edition version 7.1 and its have log4j vulnerability (sonarqube\elasticsearch\lib\log4j-core-2.9.1.jar ). how can I upgrade it for latest version. is there any document or guideline on it
yes, see Before You Upgrade | SonarQube Docs
In your case it’s either
7.1 > 7.9.6 (former LTS) > 8.9.6 (current LTS)
or even
7.1 > 7.9.6 (former LTS) > 8.9.6 (current LTS) > 9.3.0 (latest version)
To be clear, our security researchers have found no way to exploit the Log4J vulnerabilities in any of the 8.9 point versions.
The latest releases of SonarQube - including the LTS - don’t use Log4J directly. The embedded Elasticsearch does contain Log4J but there is no vulnerability in the way Elasticsearch uses it. So we do not plan to upgrade Elasticsearch in the LTS.
Currently we have sonarqube 8.9.0.43852, we can upgrade it to latest patch 8.9.6 LTS?
we have to do http://yourSonarQubeServerURL/setup or not required?
you’re right. The release notes at Download | SonarQube for Sonarqube 8.9.7 LTS
point to Release Notes - SonarSource
with only one Jira ticket for Sonarqube 8.9.6, 9.2.4, 9.3:
" Update of Elasticsearch to 7.16.2, update of Log4J to 2.17"
The release notes for Sonarqube 8.9.7 LTS are here, you might judge yourself if it is relevant for you.
In case of doubt, use either the most recent LTS or the latest Sonarqube version.
Thanks Gilbert, just wondering if Log 4J would be patched to version 2.17.1 (even though it is not a major fix) in LTS version 8.9.7, but we’ll go with the latest LTS version anyway (always a sure bet).
if you really want a Sonarqube version with elasticsearch using log4j-core 2.17.1,
you’ll have to go with the latest version Sonarqube 9.3.0
The release notes for Sonarqube 9.3.0 have: https://jira.sonarsource.com/browse/SONAR-15853
" Update of Elasticsearch to 7.16.2, update of Log4J to 2.17"
which in fact is wrong, as Sonarqube 9.3.0 ships with …\elasticsearch\lib\elasticsearch-7.16.3.jar
and Elasticsearch version 7.16.3 | Elasticsearch Guide [7.16] | Elastic has
We started to use the latest Sonarqube Enterprise version instead of the LTS in 2018 and had only problems with early 8.x versions after the redesign of the branches feature.
And now, as it’s not possible anymore to update the scanner plugins independently it’s even more important for us to use the latest version.
SonarQube 9.3 effectively ships Elasticsearch 7.16.3. The corresponding ticket is the following one: SONAR-15869.
You can find several tickets related to the upgrade of Elasticsearch in SonarQube 9.3 release notes because the upgrade to Elasticsearch has been done iteratively in parallel to the 9.2.x bug fix releases.
