Apache Software Foundation > Apache POI
 

Apache POI™ - the Java API for Microsoft Documents

Project News

11 November 2024 - Avoid log4j-api 2.24.1

When testing a potential Apache POI 5.4.0 release, we discovered a serious bug in log4j-api 2.24.1. This leads to NullPointerExceptions when you use log4j-core that is not of the exact same version (2.24.1). We recommend that users avoid log4j 2.24.x.

Please direct any queries to the Log4j Team. The main issue is Issue 3143.

An XMLBeans 5.2.2 release was recently made and that has the problematic log4j-api 2.24.1 dependency. XMLBeans 5.2.2 doesn't have many changes so users should avoid it unless they need the changes in it. If you must use that XMLBeans release, you will need to carefully test the upgrade.

2 July 2024 - POI 5.3.0 available

The Apache POI team is pleased to announce the release of 5.3.0. Several dependencies were updated to their latest versions to pick up security fixes and other improvements.

A summary of changes is available in the Release Notes. A full list of changes is available in the change log. People interested should also follow the dev list to track progress.

See the downloads page for more details.

POI requires Java 8 or newer since version 4.0.1.

4 March 2022 - CVE-2022-26336 - A carefully crafted TNEF file can cause an out of memory exception in Apache POI poi-scratchpad versions prior to 5.2.0

Description:
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.

Mitigation:
Affected users are advised to update to poi-scratchpad 5.2.1 or above which fixes this vulnerability. It is recommended that you use the same versions of all POI jars.

10+16+18 December 2021- Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105

The Apache POI PMC has evaluated the security vulnerabilities reported for Apache Log4j.

POI 5.1.0 and XMLBeans 5.0.2 only have dependencies on log4j-api 2.14.1. The security vulnerabilities are not in log4j-api - they are in log4j-core.

If any POI or XMLBeans user uses log4j-core to control their logging of their application, we strongly recommend that they upgrade all their log4j dependencies to the latest version (currently v2.20.0) - including log4j-api.

13 January 2021 - CVE-2021-23926 - XML External Entity (XXE) Processing in Apache XMLBeans versions prior to 3.0.0

Description:
When parsing XML files using XMLBeans 2.6.0 or below, the underlying parser created by XMLBeans could be susceptible to XML External Entity (XXE) attacks.

This issue was fixed a few years ago but on review, we decided we should have a CVE to raise awareness of the issue.

Mitigation:
Affected users are advised to update to Apache XMLBeans 3.0.0 or above which fixes this vulnerability. XMLBeans 4.0.0 or above is preferable.

References: XML external entity attack

20 October 2019 - CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI versions prior to 4.1.1

Description:
When using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.

Mitigation:
Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml are not affected. Affected users are advised to update to Apache POI 4.1.1 which fixes this vulnerability.

Credit: This issue was discovered by Artem Smotrakov from SAP

References: XML external entity attack

26 March 2019 - XMLBeans 3.1.0 available

The Apache POI team is pleased to announce the release of XMLBeans 3.1.0. Featured are a handful of bug fixes.

The Apache POI project has unretired the XMLBeans codebase and is maintaining it as a sub-project, due to its importance in the poi-ooxml codebase.

A summary of changes is available in the Release Notes. People interested should also follow the POI dev list to track progress.

The XMLBeans JIRA project has been reopened and feel free to open issues.

POI 4.1.0 uses XMLBeans 3.1.0.

XMLBeans requires Java 6 or newer since version 3.0.2.

11 January 2019 - Initial support for JDK 11

We did some work to verify that compilation with Java 11 is working and that all unit-tests pass.

See the details in the FAQ entry.

Mission Statement

The Apache POI Project's mission is to create and maintain Java APIs for manipulating various file formats based upon the Office Open XML standards (OOXML) and Microsoft's OLE 2 Compound Document format (OLE2). In short, you can read and write MS Excel files using Java. In addition, you can read and write MS Word and MS PowerPoint files using Java. Apache POI is your Java Excel solution (for Excel 97-2008). We have a complete API for porting other OOXML and OLE2 formats and welcome others to participate.

OLE2 files include most Microsoft Office files such as XLS, DOC, and PPT as well as MFC serialization API based file formats. The project provides APIs for the OLE2 Filesystem (POIFS) and OLE2 Document Properties (HPSF).

Office OpenXML Format is the new standards based XML file format found in Microsoft Office 2007 and 2008. This includes XLSX, DOCX and PPTX. The project provides a low level API to support the Open Packaging Conventions using openxml4j.

For each MS Office application there exists a component module that attempts to provide a common high level Java api to both OLE2 and OOXML document formats. This is most developed for Excel workbooks (SS=HSSF+XSSF). Work is progressing for Word documents (WP=HWPF+XWPF) and PowerPoint presentations (SL=HSLF+XSLF).

The project has some support for Outlook (HSMF). Microsoft opened the specifications to this format in October 2007. We would welcome contributions.

There are also projects for Visio (HDGF and XDGF), TNEF (HMEF), and Publisher (HPBF).

As a general policy we collaborate as much as possible with other projects to provide this functionality. Examples include: Cocoon for which there are serializers for HSSF; Open Office.org with whom we collaborate in documenting the XLS format; and Tika / Lucene, for which we provide format interpretors. When practical, we donate components directly to those projects for POI-enabling them.

Why should I use Apache POI?

A major use of the Apache POI api is for Text Extraction applications such as web spiders, index builders, and content management systems.

So why should you use POIFS, HSSF or XSSF?

You'd use POIFS if you had a document written in OLE 2 Compound Document Format, probably written using MFC, that you needed to read in Java. Alternatively, you'd use POIFS to write OLE 2 Compound Document Format if you needed to inter-operate with software running on the Windows platform. We are not just bragging when we say that POIFS is the most complete and correct implementation of this file format to date!

You'd use HSSF if you needed to read or write an Excel file using Java (XLS). You'd use XSSF if you need to read or write an OOXML Excel file using Java (XLSX). The combined SS interface allows you to easily read and write all kinds of Excel files (XLS and XLSX) using Java. Additionally there is a specialized SXSSF implementation which allows to write very large Excel (XLSX) files in a memory optimized way.

Components

The Apache POI Project provides several component modules some of which may not be of interest to you. Use the information on our Components page to determine which jar files to include in your classpath.

Contributing

So you'd like to contribute to the project? Great! We need enthusiastic, hard-working, talented folks to help us on the project, no matter your background. So if you're motivated, ready, and have the time: Download the source from the Subversion Repository, build the code, join the mailing lists, and we'll be happy to help you get started on the project!

Please read our Contribution Guidelines. When your contribution is ready submit a patch to our Bug Database.