Update Apache POI in Spring 4.3.x [SPR-17385]

[spring-projects-issues]

GFriedrich opened SPR-17385 and commented

I just saw that Spring WebMVC in the 4.3.x branch has an optional dependency of Apache POI 3.14.

This version of Apache POI is vulnerable to CVE-2017-5644 and CVE-2017-12626

I'm wondering whether it would be possible to update to the latest Apache POI 3.x on this branch?

I know that Spring 4.3.x is in some kind of maintenance mode, but maybe it's an easy task. But you know for sure better than I do. :)

Thanks in advance.

---

Affects: 4.3.20

Referenced from: commits bf9043c

[spring-projects-issues]

Rossen Stoyanchev commented

That's right, 4.3.x is in maintenance mode. It is an optional dependency however so a project has to choose the version. That said from the reports CVE-2017-5644 and CVE-2017-12626 it looks like upgrading to 3.17 should cover those issues.

[spring-projects-issues]

Juergen Hoeller commented

Indeed, 3.14 is just the POI version that we happen to compile against, as a baseline for our API dependency. Like with all of our optional integration arrangements, the specific version for a particular application is always chosen by the application project setup.

So we effectively support POI 3.14+ for use with Spring Framework 4.3.x, recommending the latest in line... since even POI 3.17 is being superseded by POI 4.0 in the meantime, we should be able to upgrade our build dependency to it in the 4.3.x line at this point.

[spring-projects-issues]

Juergen Hoeller commented

I've upgraded our 4.3.x branch to POI 3.17, aligned with the 5.0.x branch.