Please be aware, that Ubiquity has discontinued support for Unifi-Video..
I will keep an eye on this package while I am still using it, but please understand that without support von Ubiquity there isn't much I can do in case of problems with the app itself.
Also, I strongly recommend no longer publishing Unifi-Video unprotected on the Web. Work under the assumption, that this application can be breached.
Pinned Comments
torben commented on 2023-01-04 09:20 (UTC) (edited on 2023-01-04 09:20 (UTC) by torben)
Please be aware, that Ubiquity has discontinued support for Unifi-Video..
I will keep an eye on this package while I am still using it, but please understand that without support von Ubiquity there isn't much I can do in case of problems with the app itself.
Also, I strongly recommend no longer publishing Unifi-Video unprotected on the Web. Work under the assumption, that this application can be breached.
torben commented on 2021-12-18 16:55 (UTC) (edited on 2021-12-27 14:04 (UTC) by torben)
Version 3.10.13-2 mitigates the log4j JNDI vulnerability out of the box
Be aware, that unifi-video is affected by the recent log4j JNDI Lookup vulnerabilities. As Ubiquity is no longer maintaining this piece of software, we can't expect an update.
The best mitigation (removing the JNDI Lookup Ability in log4j) for unifi-video can be found here:
https://community.ui.com/questions/Mitigating-the-Java-Log4J-exploit-in-UniFi-Video-on-Debian-Ubuntu/c59621d2-3cbf-48aa-9780-76477e0b1d39#answer/06ed75d6-113c-4230-9d44-7394e4ba2542
Basically, it removes the corresponding lookup-class from log4j-core.jar via:
I strongly recommend everybody to update either to 3.10.13-2 or to fix the log4j JAR file manually.