Using Sonarqube 9.2.4, which has log4j 2.17.0 and it's vulnerable to CVE-2021-44832 in below link

  • Sonarqube:9.2.4-community
  • which has log4j 2.17.0 and it’s shows it’s vulnerable to CVE-2021-44832 in below link

https://nvd.nist.gov/vuln/detail/CVE-2021-44832

  • Can you please check if it’s vulnerable and how can we mitigate it.

Thanks

Hello there.

Without any official statement from SonarSource, you might comforted by this message from a fellow community user.

1 Like

Hi, Thanks for the reply.

But it doesn’t provide any new information where it says it’s not vulnerable to the threat.
Can we have more info on the same or when the patch or updated versions would be coming.

Hi @kshitizsh12,

Welcome to the community!

As previously stated, our security researchers have found no way to exploit even the original vulnerability in SonarQube. The patches we released were issued “from an abundance of caution” and “to eliminate confusion and avoid false-positive[s] from vulnerability scanning tools”.

The CVE you reference requires “a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server”. Since SonarQube’s only use of Log4J is via Elasticsearch, I think you can rest easy that those conditions don’t exist.

In short, we do not plan to release patches to address this CVE.

 
HTH,
Ann

1 Like