Hi @kshitizsh12,
Welcome to the community!
As previously stated, our security researchers have found no way to exploit even the original vulnerability in SonarQube. The patches we released were issued “from an abundance of caution” and “to eliminate confusion and avoid false-positive[s] from vulnerability scanning tools”.
The CVE you reference requires “a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server”. Since SonarQube’s only use of Log4J is via Elasticsearch, I think you can rest easy that those conditions don’t exist.
In short, we do not plan to release patches to address this CVE.
HTH,
Ann