Official fixes for UniFi Network Application came in 6.5.54 (CVE-2021-44228) & 6.5.55 (CVE-2021-45046).
UniFi Video is EOL and will not receive updates.
If there is an older version used for some reason, it’s up to the server administrator to update required jar-files.
This is tested with unifi-video 3.10.13 & unifi 5.14.23-13880-1, running on Debian 11.
unifi (5.14.23-13880-1)
Download log4j v2.12.4 (last version supporting Java 7) from Apache (https://www.apache.org/dyn/closer.lua/logging/log4j/2.12.4/apache-log4j-2.12.4-bin.tar.gz)
Extract to temporary location, copy original files to a backup location & following downloaded files in their place:
log4j-api-2.12.4.jar -> /usr/lib/unifi/lib/log4j-api-2.12.1.jar
log4j-core-2.12.4.jar -> /usr/lib/unifi/lib/log4j-core-2.12.1.jar
log4j-slf4j-impl-2.12.4.jar -> /usr/lib/unifi/lib/log4j-slf4j-impl-2.12.1.jar
Restart unifi -service.
unifi-video (3.10.13)
Download log4j v2.3.2 (last version supporting Java 6) from Apache (https://www.apache.org/dyn/closer.lua/logging/log4j/2.3.2/apache-log4j-2.3.2-bin.tar.gz)
Extract to temporary location, copy original files to a backup location & following downloaded files in their place:
log4j-api-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-api-2.1.jar
log4j-core-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-core-2.1.jar
log4j-slf4j-impl-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-slf4j-impl-2.1.jar
Restart unifi-video -service.