We have found the UIM has the Apache POI component deployed with the UMP and Unified reporter. We need to know if this is vulnerable to the CVE-2016-5000 exploit?
search cancel

We have found the UIM has the Apache POI component deployed with the UMP and Unified reporter. We need to know if this is vulnerable to the CVE-2016-5000 exploit?

book

Article ID: 11806

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction



In reviewing UIM we have found that the Apache POI is included in the  following Products:
- UMP / Liferay
- Unified Reporter

Are the UIM vulnerable to CVE-2016-5000?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5000

Environment

UIM 8.4UIM 8.4 SP1UIM 8.4 SP2UIM 8.47

Resolution

Per our development teams and security engineer and received the following detail:

We've taken a deep look at this exploit, and although we can confirm that we do use an affected version of Apache POI (less than 3.14), in order for an attacker to take advantage of this exploit, it would require that specific functionality be enabled and used inside the code. Specifically, this is functionality that allows end-users to upload OpenXML documents and have them converted/exported in CSV format.

This code is not implemented or present in any part of our code base and therefore it would not be possible for an attacker to take advantage of this exploit in our products.

It's possible that the versions used will be updated in the future, but this is out of our control to some extent because we rely on the versions shipped with Liferay and Jaspersoft products. However, we can confidently confirm that UMP, UIM, and Unified Reporter are NOT vulnerable to this exploit.