Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-15853

Update of Elasticsearch to 7.16.2, update of Log4J to 2.17

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 8.9.6, 9.2.4, 9.3
    • Component/s: ElasticSearch
    • Labels:
      None
    • Edition:
      Community
    • Production Notes:
      None

      Description

      To eliminate confusion and avoid false positive from vulnerability scanning tools in regards to CVE-2021-45046, CVE-2021-44228 and CVE-2021-45105:

      • The SonarQube Log4J test dependency is updated to 2.17. This dependency is not included in the SonarQube distribution and is not susceptible to these CVEs.
      • The Elasticsearch component is updated to its latest bug fix version, 7.16.2, which updates the packaged Log4J dependency to 2.17.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jacek.poreda Jacek Poreda
              Reporter:
              jacek.poreda Jacek Poreda
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: