We have found the UIM has the Apache POI component deployed with the UMP and Unified reporter. We need to know if this is vulnerable to the CVE-2016-5000 exploit?

Document ID : KB000011806
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

In reviewing UIM we have found that the Apache POI is included in theĀ  following Products:
- UMP / Liferay
- Unified Reporter

Are the UIM vulnerable to CVE-2016-5000?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5000

Environment:
UIM 8.4UIM 8.4 SP1UIM 8.4 SP2UIM 8.47
Answer:

Per our development teams and security engineer and received the following detail:

We've taken a deep look at this exploit, and although we can confirm that we do use an affected version of Apache POI (less than 3.14), in order for an attacker to take advantage of this exploit, it would require that specific functionality be enabled and used inside the code. Specifically, this is functionality that allows end-users to upload OpenXML documents and have them converted/exported in CSV format.

This code is not implemented or present in any part of our code base and therefore it would not be possible for an attacker to take advantage of this exploit in our products.

It's possible that the versions used will be updated in the future, but this is out of our control to some extent because we rely on the versions shipped with Liferay and Jaspersoft products. However, we can confidently confirm that UMP, UIM, and Unified Reporter are NOT vulnerable to this exploit.