A security scan of our environment recently identified a potential vulnerability, CVE-2016-5000, related to UMP and/or Unified Reporter. How can we address this vulnerability?
We've taken a deep look at this exploit, and although we can confirm that we do use an affected version of Apache POI (less than 3.14), in order for an attacker to take advantage of this exploit, it would require that specific functionality be enabled and used inside the code. Specifically, this is functionality that allows end-users to upload OpenXML documents and have them converted/exported in CSV format.
This code is not implemented or present in any part of our code base and therefore it would not be possible for an attacker to take advantage of this exploit in our products.
It's possible that the versions used will be updated in the future, but this is out of our control to some extent because we rely on the versions shipped with Liferay and Jaspersoft products. However, we can confidently confirm that UMP, UIM, and Unified Reporter are NOT vulnerable to this exploit even in the identified versions.