13 January 2021 - CVE-2021-23926 - XML External Entity (XXE) Processing in Apache XMLBeans versions prior to 3.0.0 Version (currently v2.17.1) - including log4j-api.
We strongly recommend that they upgrade all their log4j dependencies to the latest If any POI or XMLBeans user uses log4j-core to control their logging of their application, The security vulnerabilities are not in log4j-api - they are in log4j-core. POI 5.1.0 and XMLBeans 5.0.2 only have dependencies on log4j-api 2.14.1. The Apache POI PMC has evaluated the security vulnerabilities reported POI requires Java 8 or newer since version 4.0.1. People interested should also follow the dev list to track progress. Several dependencies were updated to their latest versions to pick up security fixes and other improvements.Ī full list of changes is available in the change log. The Apache POI team is pleased to announce the release of 5.2.0.
0 kommentar(er)
