SonarQube 9.2(Current) and earlier are vulnerable

[VerityCyber]

They contain log4j 2.11.1

[lukehankins]

I believe that they have stated that they are not affected.

https://community.sonarsource.com/t/sonarqube-sonarcloud-and-the-log4j-vulnerability/54721

Edit: "Regarding all the other questions about non-latest, non-LTS versions, again, only latest (9.2.1) and LTS (8.9.3) are supported. We have not investigated other versions, since we don’t support them. If you have concerns, you should upgrade."

[VerityCyber]

While they are not directly affected, they contain a version of elastic search that contains a version of log4j that is. It is easy to mitigate with the sonar.search.javaAdditionalOpts=-Dlog4j2.formatMsgNoLookups=true setting. I decided to post this so industry partners that may be using SonarQube will know to check and ensure that flag is set.

[lukehankins]

Is the topic of this ticket correct? Is the current (9.2) version of SonarQube vulnerable?

[VerityCyber]

If the intent of this thread is to track attack surface, then it is valid to note that this application contains potential attack surface. If you would like to chalk this one up to duplicate for Elasticsearch, then that's fine. Noting dependency vulns may help prevent a breach for someone using this product.