SonarQube, SonarCloud, and the Log4J vulnerability

flagging vulneraibility of file elasticsearch-sql-cli-7.12.1.jar (CVE-2021-44228 )

Hello Sonar team, I updated the core and api log4j jars for new versions but now I am getting flagged because another possible “vulnerable” file exists in the Sonarqube repository:

sonarqube-8.9.1\elasticsearch\bin\elasticsearch-sql-cli-7.12.1.jar – Vulnerable to CVE-2021-44228 or CVE-2021-45046

I am thinking to just delete that file since it contains an embedded version of log4j-2.14. since I don’t think this tool is actively used by sonar.

Can you confirm is safe to remove that file and it won’t impact the proper operation of Sonarqube?

Thanks

Version: Enterprise Edition Version 8.9.1 (build 44547)

**Can’t upgrade those weeks cause we have an issue with the DB need your confirmation on this please!

Hi @ivette07mar ,

Rather than butchering your current SonarQube install, your quickest way to address those vulnerabilities is to upgrade to 8.9.6 LTS where this is fixed. This version has no new functionality compared to yours, only security fixes, so an update should have no side effects that you’d otherwise need to mitigate.

4 Likes

Hello,

Any tentative date for new release which will have log4j 2.17.1 version.

Thanks,
Gajanan

Hi @gajju26,

Welcome to the community!

We anticipate releasing 9.3 on 31 January 2022.

 
HTH,
Ann

2 Likes

Thanks for the update!!! I am looking forward to contribute in this community.

Thanks,
Gajanan

2 Likes

Hi Ann,

Will there also be a version 8.9.7 LTS available january 31st too ?

Thanks,

Jeff

Hi Jeff,

It’s a fair question, but I don’t think so. I’m sure that will be included in the next LTS release, but we’re releasing 9.3 at the end of the month as a regularly-scheduled release, which also addresses this minor security question as a means to avoiding false positives. We’re not releasing it to address log4j 2.17.1.

 
HTH,
Ann

2 Likes

Thanks for the quick reply Ann !

Jeff

A post was split to a new topic: Elasticsearch failure on startup