Log4j2 is used in UCX release 7.6 - Software Fix addresses CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 and is available (as of Dec. 20, 2021). Until it is publicly available on support site, you can download the patch from the attachment sections in this KB Article.
Please find below the directions on how to apply the patch. (The zip file also contains a README file with directions on how to apply the patch.)
1. Unzip the attachement and upload all 3 jar files to /tmp directory -
2. Stop services:
service ucxpert stop
3. Delete existing log4j jars:
4. Copy new log4j jars:
cp /tmp/log4j-1.2-api-2.17.0.jar /opt/ucxpert/tomcat/lib
cp /tmp/log4j-core-2.17.0.jar /opt/ucxpert/tomcat/lib
cp /tmp/log4j-api-2.17.0.jar /opt/ucxpert/tomcat/lib
5. Update ownership:
chown ucxpert:ucxpert /opt/ucxpert/tomcat/lib/log4j*.jar
6. Restart services:
service ucxpert start
NOTE: Prior to release 7.6, Log4j 1.x was used and which is mentioned in : https://cve.report/CVE-2021-4104
CVE-2021-4104 mentions that this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default.
Even though UCX versions prior to 7.6 used Log4j 1.x, they are not configured to use the JMSAppender and therefore not vulnerable.