17 February 2020 - POI 4.1.2 available

The Apache POI team is pleased to announce the release of 4.1.2. This release features better chart support in XDDF, various rendering fixes in the Common SL/EMF modules and OOM fixes when handling arbitrary slide indexes in XSLF (+ a new dependency to SparseBitSet 1.2). Several dependencies were also updated to their latest versions to pick up security fixes and other improvements.

A summary of changes is available in the Release Notes. A full list of changes is available in the change log. People interested should also follow the dev list to track progress.

See the downloads page for more details.

POI requires Java 8 or newer since version 4.0.1.

20 October 2019 - CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI versions prior to 4.1.1

Description:

When using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

Mitigation:

Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml are not affected. affected users are advised to update to Apache POI 4.1.1 which fixes this vulnerability.

Credit: This issue was discovered by Artem Smotrakov from SAP

References: XML external entity attack

26 March 2019 - XMLBeans 3.1.0 available

The Apache POI team is pleased to announce the release of XMLBeans 3.1.0. Featured are a handful of bug fixes.

The Apache POI project has unretired the XMLBeans codebase and is maintaining it as a sub-project, due to its importance in the poi-ooxml codebase.

A summary of changes is available in the Release Notes. People interested should also follow the POI dev list to track progress.

The XMLBeans JIRA project has been reopened and feel free to open issues.

POI 4.1.0 uses XMLBeans 3.1.0.

XMLBeans requires Java 6 or newer since version 3.0.2.

11 January 2019 - Initial support for JDK 11

We did some work to verify that compilation with Java 11 is working and that all unit-tests pass.

See the details in the FAQ entry.