In reviewing UIM we have found that the Apache POI is included in the following Products:
- UMP / Liferay
- Unified Reporter
Are the UIM vulnerable to CVE-2016-5000?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5000
Per our development teams and security engineer and received the following detail:
We've taken a deep look at this exploit, and although we can confirm that we do use an affected version of Apache POI (less than 3.14), in order for an attacker to take advantage of this exploit, it would require that specific functionality be enabled and used inside the code. Specifically, this is functionality that allows end-users to upload OpenXML documents and have them converted/exported in CSV format.
This code is not implemented or present in any part of our code base and therefore it would not be possible for an attacker to take advantage of this exploit in our products.
It's possible that the versions used will be updated in the future, but this is out of our control to some extent because we rely on the versions shipped with Liferay and Jaspersoft products. However, we can confidently confirm that UMP, UIM, and Unified Reporter are NOT vulnerable to this exploit.