UCS 5.0-0 does ship apache-log4j2 as a Debian package, but this is not in use by default. We have already made updates for this package available to our customers on 12/13/2021, as they are not included in the regular errata tracking. For more information on the update, please visit the help forum at: https://help.univention.com/t/status-of-log4j-log4shell-vulnerability-cve-2021-44228-in-ucs-and-apps/19020.
The UCS 4 package apache-log4j1.2 is affected with a related vulnerability, but it does not allow remote code execution (RCE) as far as we know at this time. This is also not used by default in UCS. We are waiting for an upstream update here.
Applications in UCS
There are some Java-based applications that can be installed on UCS that could potentially be affected. These include: Zammad, Seafile, Jitsi, Bluespice, Jenkins. Security advisories are already available for these.
The Swagger UI software, which can be used within the Kelvin REST API, does use log4j, but in a very limited context. It does not get any arbitrary content passed to it, and control is only up to users with administrative rights. Our assessment is that there is currently no risk of this being exploited via RCE.
Please also note that UCS provides connectors to various third-party solutions that may be vulnerable. While this does not make UCS directly vulnerable, it may open up opportunities for post-exploitation techniques and lateral movement.
We are continuously working on analyzing all applications for security vulnerabilities and will keep you updated in our forum on log4j/log4shell.