Apache POI CVE-2019-12415 XML External Entity Information Disclosure Vulnerability

Description

Apache POI is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks. Apache POI version 4.1.0 and prior are vulnerable.

Technologies Affected

• Apache POI 0.1
• Apache POI 0.10.0
• Apache POI 0.11.0
• Apache POI 0.12.0
• Apache POI 0.13.0
• Apache POI 0.14.0
• Apache POI 0.2
• Apache POI 0.3
• Apache POI 0.4
• Apache POI 0.5
• Apache POI 0.6
• Apache POI 0.7
• Apache POI 1.0.0
• Apache POI 1.0.1
• Apache POI 1.0.2
• Apache POI 1.1.0
• Apache POI 1.10 Dev
• Apache POI 1.2.0
• Apache POI 1.5
• Apache POI 1.5.1
• Apache POI 1.7 Dev
• Apache POI 1.8 Dev
• Apache POI 2.0 Pre1
• Apache POI 2.0 Pre2
• Apache POI 2.0 Pre3
• Apache POI 2.0 RC1
• Apache POI 2.0 RC2
• Apache POI 2.5
• Apache POI 2.5.1
• Apache POI 3.0
• Apache POI 3.0 Alpha1
• Apache POI 3.0 Alpha2
• Apache POI 3.0 Alpha3
• Apache POI 3.0.2
• Apache POI 3.0.2 Beta1
• Apache POI 3.0.2 Beta2
• Apache POI 3.1
• Apache POI 3.1 Beta1
• Apache POI 3.1 Beta2
• Apache POI 3.10
• Apache POI 3.10 Beta1
• Apache POI 3.10 Beta2
• Apache POI 3.10.1
• Apache POI 3.11 Beta1
• Apache POI 3.11 Beta3
• Apache POI 3.11-beta2
• Apache POI 3.13
• Apache POI 3.14
• Apache POI 3.15
• Apache POI 3.16
• Apache POI 3.17
• Apache POI 3.2
• Apache POI 3.5
• Apache POI 3.5 Beta1
• Apache POI 3.5 Beta2
• Apache POI 3.5 Beta3
• Apache POI 3.5 Beta4
• Apache POI 3.5 Beta5
• Apache POI 3.5 Beta6
• Apache POI 3.6
• Apache POI 3.7
• Apache POI 3.7 Beta1
• Apache POI 3.7 Beta2
• Apache POI 3.7 Beta3
• Apache POI 3.8
• Apache POI 3.8 Beta1
• Apache POI 3.8 Beta2
• Apache POI 3.8 Beta3
• Apache POI 3.8 Beta4
• Apache POI 3.8 Beta5
• Apache POI 3.9
• Apache POI 4.0.0
• Apache POI 4.0.1
• Apache POI 4.1.0
• Oracle Application Testing Suite 12.5.0.3
• Oracle Application Testing Suite 13.1.0.1
• Oracle Application Testing Suite 13.2.0.1
• Oracle Application Testing Suite 13.3.0.1
• Oracle Endeca Information Discovery Studio 3.2
• Oracle Enterprise Repository 12.1.3.0.0
• Oracle Primavera Gateway 17.12.6
• Oracle Primavera Gateway 18.8.8.1
• Oracle Primavera Unifier 16.1
• Oracle Primavera Unifier 16.2
• Oracle Primavera Unifier 17.12
• Oracle Primavera Unifier 17.7
• Oracle Primavera Unifier 18.8
• Oracle Primavera Unifier 19.12
• Oracle Retail Clearance Optimization Engine 14.0
• Oracle Retail Predictive Application Server 15.0.3
• Oracle Retail Predictive Application Server 16.0.3

Recommendations

Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Ensure that only trusted users have local, interactive access to affected computers.

Block external access at the network boundary, unless external parties require service.
If global access isn’t needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.

Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, run all applications with the minimal amount of privileges required for functionality.

Updates are available. Please see the references or vendor advisory for more information.