Hey,
your impression is not correct.
Regarding the mentioned exploit: This only affects Apache versions >=2.4.49 while UCS 5 packages version 2.4.38, so our Apache was never affected by this.
On a broader picture: It is true that there are several vulnerabilities found in Apache. As soon as they are fixed upstream (in Debian) these fixes are included in UCS. For UCS 5 alone 3 security issues got released.
Many reports and warnings of vulnerability checkers only compare package version numbers. As we repackage Apache this leads to false positives, more about that was written here: Vulnerability Apache2 - #4 by jlk and here: How-to: Verify automated security scan
If you want to check if your installation really is affected I would do the following:
- Find out which versions are affected and which version you are using
- If the vulnerability affects your version you can check our errata page with the CVE as mentioned in the linked post
- If you cannot find a fix there you can look if the Debian project is affected and has fixed this as written in the How-To.
Only if your version is affected and there is no mention of a fix released by us I would panic, otherwise that’s just a false positive. 
Regards
Jan-Luca