No announcement yet.
  • Filter
  • Time
Clear All
new posts

    Apache POI compatibility 3.17 vs 4

    we just updated some of our system dependencies, specifically we went from POI 3.17 to POI 4 and the Excel export function is now broken.
    We have the stacktrace you can see below.

    Is support for POI 4 in your roadmap?
    And if so, what is the timeline for it.

    Thank you :)

    " at com.isomorphic.rpc.ExcelDataExport.getExportObject("
    " at com.isomorphic.rpc.DataExport.exportResultSet("
    " at com.isomorphic.rpc.DataExport.exportResultSet("
    " at com.isomorphic.rpc.BuiltinRPC.downloadClientExport("
    " at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)"
    " at sun.reflect.NativeMethodAccessorImpl.invoke("
    " at sun.reflect.DelegatingMethodAccessorImpl.invoke("
    " at java.lang.reflect.Method.invoke("
    " at com.isomorphic.base.Reflection._invokeMethod("
    " at com.isomorphic.base.Reflection.adaptArgsAndInvoke("
    " at com.isomorphic.base.Reflection.adaptArgsAndInvoke("
    " at com.isomorphic.rpc.RPCDMI.execute("
    " at com.isomorphic.rpc.RPCDMI.execute("
    " at com.isomorphic.rpc.RPCRequest.execute("
    " at com.pci.portal.server.DataSourceResolver.handleRPCRequest("
    " at com.isomorphic.servlet.IDACall.processRPCTransaction("
    " at com.isomorphic.servlet.IDACall.processRequest("
    " at com.isomorphic.servlet.IDACall._processRequest("
    " at com.isomorphic.servlet.IDACall.doPost("
    " at javax.servlet.http.HttpServlet.service("

    It's not currently in the roadmap, and looks like the POI guys chose not to provide backward compatibility.

    Why did you update? Were you also using POI directly and needed a new feature, or was it just a "latest and greatest" kind of thing?

    Note: you can use Feature Sponsorship as a means of getting support on your timetable, if you need it.


      POI 3.17 has a series of security issues that are a concern for us and our customers.

      The update of POI is necessary for security reasons.

      Here the vulnerability concerning us:

      And a bit more reasons to update POI:


        The first vulnerability is related to parsing Excel docs, which we do not do:

        In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
        All of the other ones are too. We use POI only to generate documents and never to parse, so none of these apply.

        However, we definitely understand that sometimes a customer sees an irrelevant vulnerability and just cannot be made to understand that it doesn't apply! You could use some of your booked consulting time to have us estimate the effort, and use Feature Sponsorship to get it done (at 2 for 1 hour usage).


          By the way, another approach, if you end up desperate for a fix on an older version: just remove the classes with the vulnerabilities. We don't reference them, so this should work.


            Thank you for the precise response and the workaround, I will pass that up the chain