CINXE.COM

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <META http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta content="Apache Forrest" name="Generator"> <meta name="Forrest-version" content="0.9"> <meta name="Forrest-skin-name" content="pelt"> <title>Apache POI™ - the Java API for Microsoft Documents</title> <link type="text/css" href="skin/basic.css" rel="stylesheet"> <link media="screen" type="text/css" href="skin/screen.css" rel="stylesheet"> <link media="print" type="text/css" href="skin/print.css" rel="stylesheet"> <link type="text/css" href="skin/profile.css" rel="stylesheet"> <script src="skin/getBlank.js" language="javascript" type="text/javascript"></script><script src="skin/getMenu.js" language="javascript" type="text/javascript"></script><script src="skin/fontsize.js" language="javascript" type="text/javascript"></script> <link rel="shortcut icon" href="images/favicon.ico"> </head> <body onload="init()"> <script type="text/javascript">ndeSetTextSize();</script> <div id="top">  <div class="breadtrail"> <a href="https://www.apache.org">Apache Software Foundation</a> > <a href="https://poi.apache.org">Apache POI</a><script src="skin/breadcrumbs.js" language="JavaScript" type="text/javascript"></script> </div>  <div class="header">  <div class="grouplogo"> <a href="https://www.apache.org"><img class="logoImage" alt="Apache Software Foundation" src="images/group-logo.png" title="The Apache Software Foundation is a cornerstone of the modern Open Source software ecosystem – supporting some of the most widely used and important software solutions powering today's Internet economy."></a> </div>   <div class="projectlogo"> <a href="https://poi.apache.org"><img class="logoImage" alt="Apache POI" src="images/project-header.png" title="Apache POI is well-known in the Java field as a library for reading and writing Microsoft Office file formats, such as Excel, PowerPoint, Word, Visio, Publisher and Outlook. It supports both the older (OLE2) and new (OOXML - Office Open XML) formats."></a> </div>   <div class="searchbox"> <form action="https://www.google.com/search" method="get" class="roundtopsmall"> <input value="poi.apache.org" name="sitesearch" type="hidden"><input onFocus="getBlank (this, 'Search the site with google');" size="25" name="q" id="query" type="text" value="Search the site with google">  <input name="Search" value="Search" type="submit"> </form> </div>   <ul id="tabs"> <li class="current"> <a class="selected" href="index.html">Home</a> </li> <li> <a class="unselected" href="help/index.html">Help</a> </li> <li> <a class="unselected" href="components/index.html">Component APIs</a> </li> <li> <a class="unselected" href="devel/index.html">Getting Involved</a> </li> </ul>  </div> </div> <div id="main"> <div id="publishedStrip">  <div id="level2tabs"></div>  <script type="text/javascript"></script> </div>  <div class="breadtrail">   </div>   <div id="menu"> <div onclick="SwitchMenu('menu_selected_1.1', 'skin/')" id="menu_selected_1.1Title" class="menutitle" style="background-image: url('skin/images/chapter_open.gif');">Overview</div> <div id="menu_selected_1.1" class="selectedmenuitemgroup" style="display: block;"> <div class="menupage"> <div class="menupagetitle">Home</div> </div> <div class="menuitem"> <a href="download.html">Download</a> </div> <div class="menuitem"> <a href="changes.html">Changelog</a> </div> <div class="menuitem"> <a href="apidocs/index.html">Javadocs</a> </div> <div class="menuitem"> <a href="text-extraction.html">Text Extraction</a> </div> <div class="menuitem"> <a href="encryption.html">Encryption support</a> </div> <div class="menuitem"> <a href="security.html">Secure processing</a> </div> <div class="menuitem"> <a href="casestudies.html">Case Studies</a> </div> <div class="menuitem"> <a href="related-projects.html">Related projects</a> </div> <div class="menuitem"> <a href="legal.html">Legal</a> </div> </div> <div onclick="SwitchMenu('menu_1.2', 'skin/')" id="menu_1.2Title" class="menutitle">Apache Wide</div> <div id="menu_1.2" class="menuitemgroup"> <div class="menuitem"> <a href="https://www.apache.org/">Apache Software Foundation</a> </div> <div class="menuitem"> <a href="https://www.apache.org/licenses/">License</a> </div> <div class="menuitem"> <a href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a> </div> <div class="menuitem"> <a href="https://www.apache.org/foundation/thanks.html">Thanks</a> </div> <div class="menuitem"> <a href="https://www.apache.org/security/">Security</a> </div> <div class="menuitem"> <a href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy</a> </div> </div> <div id="credit"> <hr> <a href="https://www.apache.org/events/current-event.html"><img border="0" title="Apache Event" alt="Apache Event - logo" src="https://www.apache.org/events/current-event-125x125.png" style="width: 125px;height: 125px;"></a> </div> <div id="roundbottom"> <img style="display: none" class="corner" height="15" width="15" alt="" src="skin/images/rc-b-l-15-1body-2menu-3menu.png"></div>  <div id="credit2"> <a href="https://donate.apache.org/"><img border="0" title="Support Apache" alt="Support Apache - logo" src="images/support-asf.png" style="width: 125px;height: 125px;"></a><a href="https://www.apache.org/foundation/press/kit/#poweredby"><img border="0" title="powered by POI" alt="powered by POI - logo" src="images/poweredby-poi-logo.png" style="width: 125px;height: 125px;"></a> </div> </div>   <div id="content"> <h1>Apache POI™ - the Java API for Microsoft Documents</h1> <div id="front-matter"></div> <a name="Project+News"></a> <h2 class="boxed">Project News</h2> <div class="section"> <a name="11+November+2024+-+Avoid+log4j-api+2.24.1"></a> <h3 class="boxed">11 November 2024 - Avoid log4j-api 2.24.1</h3> <p>When testing a potential Apache POI 5.4.0 release, we discovered a serious bug in log4j-api 2.24.1. This leads to NullPointerExceptions when you use log4j-core that is not of the exact same version (2.24.1). We recommend that users avoid log4j 2.24.x.</p> <p>Please direct any queries to the Log4j Team. The main issue is <a href="https://github.com/apache/logging-log4j2/issues/3143">Issue 3143</a>.</p> <p>An XMLBeans 5.2.2 release was recently made and that has the problematic log4j-api 2.24.1 dependency. <a href="https://xmlbeans.apache.org/">XMLBeans 5.2.2</a> doesn't have many changes so users should avoid it unless they need the changes in it. If you must use that XMLBeans release, you will need to carefully test the upgrade.</p> <a name="2+July+2024+-+POI+5.3.0+available"></a> <h3 class="boxed">2 July 2024 - POI 5.3.0 available</h3> <p>The Apache POI team is pleased to announce the release of 5.3.0. Several dependencies were updated to their latest versions to pick up security fixes and other improvements.</p> <p>A summary of changes is available in the <a href="https://www.apache.org/dyn/closer.lua/poi/release/RELEASE-NOTES.txt">Release Notes</a>. A full list of changes is available in the <a href="changes.html#5.3.0">change log</a>. People interested should also follow the <a href="help/index.html">dev list</a> to track progress.</p> <p>See the <a href="download.html#POI-5.3.0">downloads</a> page for more details.</p> <p>POI requires Java 8 or newer since version 4.0.1.</p> <a name="4+March+2022+-+CVE-2022-26336+-+A+carefully+crafted+TNEF+file+can+cause+an+out+of+memory+exception+in+Apache+POI+poi-scratchpad+versions+prior+to+5.2.0"></a> <h3 class="boxed">4 March 2022 - CVE-2022-26336 - A carefully crafted TNEF file can cause an out of memory exception in Apache POI poi-scratchpad versions prior to 5.2.0</h3> <p>Description:<br> A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception.</p> <p>Mitigation:<br> Affected users are advised to update to poi-scratchpad 5.2.1 or above which fixes this vulnerability. It is recommended that you use the same versions of all POI jars.</p> <a name="10%2B16%2B18+December+2021-+Log4j+vulnerabilities+CVE-2021-44228%2C+CVE-2021-45046+and+CVE-2021-45105"></a> <h3 class="boxed">10+16+18 December 2021- Log4j vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105</h3> <p>The Apache POI PMC has evaluated the security vulnerabilities reported for Apache Log4j.</p> <p>POI 5.1.0 and XMLBeans 5.0.2 only have dependencies on log4j-api 2.14.1. The security vulnerabilities are not in log4j-api - they are in log4j-core.</p> <p>If any POI or XMLBeans user uses log4j-core to control their logging of their application, we strongly recommend that they upgrade all their log4j dependencies to the latest version (currently v2.20.0) - including log4j-api.</p> <a name="13+January+2021+-+CVE-2021-23926+-+XML+External+Entity+%28XXE%29+Processing+in+Apache+XMLBeans+versions+prior+to+3.0.0"></a> <h3 class="boxed">13 January 2021 - CVE-2021-23926 - XML External Entity (XXE) Processing in Apache XMLBeans versions prior to 3.0.0</h3> <p>Description:<br> When parsing XML files using XMLBeans 2.6.0 or below, the underlying parser created by XMLBeans could be susceptible to XML External Entity (XXE) attacks.</p> <p>This issue was fixed a few years ago but on review, we decided we should have a CVE to raise awareness of the issue.</p> <p>Mitigation:<br> Affected users are advised to update to Apache XMLBeans 3.0.0 or above which fixes this vulnerability. XMLBeans 4.0.0 or above is preferable.</p> <p>References: <a href="https://en.wikipedia.org/wiki/XML_external_entity_attack">XML external entity attack</a> </p> <a name="20+October+2019+-+CVE-2019-12415+-+XML+External+Entity+%28XXE%29+Processing+in+Apache+POI+versions+prior+to+4.1.1"></a> <h3 class="boxed">20 October 2019 - CVE-2019-12415 - XML External Entity (XXE) Processing in Apache POI versions prior to 4.1.1</h3> <p>Description:<br> When using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.</p> <p>Mitigation:<br> Apache POI 4.1.0 and before: users who do not use the tool XSSFExportToXml are not affected. Affected users are advised to update to Apache POI 4.1.1 which fixes this vulnerability.</p> <p>Credit: This issue was discovered by Artem Smotrakov from SAP</p> <p>References: <a href="https://en.wikipedia.org/wiki/XML_external_entity_attack">XML external entity attack</a> </p> <a name="26+March+2019+-+XMLBeans+3.1.0+available"></a> <h3 class="boxed">26 March 2019 - XMLBeans 3.1.0 available</h3> <p>The Apache POI team is pleased to announce the release of XMLBeans 3.1.0. Featured are a handful of bug fixes.</p> <p>The Apache POI project has unretired the XMLBeans codebase and is maintaining it as a sub-project, due to its importance in the poi-ooxml codebase.</p> <p>A summary of changes is available in the <a href="https://svn.apache.org/viewvc/xmlbeans/trunk/CHANGES.txt?view=markup">Release Notes</a>. People interested should also follow the <a href="help/index.html">POI dev list</a> to track progress.</p> <p>The XMLBeans <a href="https://issues.apache.org/jira/projects/XMLBEANS">JIRA project</a> has been reopened and feel free to open issues.</p> <p>POI 4.1.0 uses XMLBeans 3.1.0.</p> <p>XMLBeans requires Java 6 or newer since version 3.0.2.</p> <a name="11+January+2019+-+Initial+support+for+JDK+11"></a> <h3 class="boxed">11 January 2019 - Initial support for JDK 11</h3> <p>We did some work to verify that compilation with Java 11 is working and that all unit-tests pass. </p> <p>See the details in the <a href="help/faq.html#faq-N102B0">FAQ entry</a>.</p> </div> <a name="Mission+Statement"></a> <h2 class="boxed">Mission Statement</h2> <div class="section"> <p> The Apache POI Project's mission is to create and maintain Java APIs for manipulating various file formats based upon the Office Open XML standards (OOXML) and Microsoft's OLE 2 Compound Document format (OLE2). In short, you can read and write MS Excel files using Java. In addition, you can read and write MS Word and MS PowerPoint files using Java. Apache POI is your Java Excel solution (for Excel 97-2008). We have a complete API for porting other OOXML and OLE2 formats and welcome others to participate. </p> <p> OLE2 files include most Microsoft Office files such as XLS, DOC, and PPT as well as MFC serialization API based file formats. The project provides APIs for the <a href="components/poifs/">OLE2 Filesystem (POIFS)</a> and <a href="components/hpsf/">OLE2 Document Properties (HPSF)</a>. </p> <p> Office OpenXML Format is the new standards based XML file format found in Microsoft Office 2007 and 2008. This includes XLSX, DOCX and PPTX. The project provides a low level API to support the Open Packaging Conventions using <a href="components/oxml4j/index.html">openxml4j</a>. </p> <p> For each MS Office application there exists a component module that attempts to provide a common high level Java api to both OLE2 and OOXML document formats. This is most developed for <a href="components/spreadsheet/">Excel workbooks (SS=HSSF+XSSF)</a>. Work is progressing for <a href="components/document/">Word documents (WP=HWPF+XWPF)</a> and <a href="components/slideshow/">PowerPoint presentations (SL=HSLF+XSLF)</a>. </p> <p> The project has some support for <a href="components/hsmf/index.html">Outlook (HSMF)</a>. Microsoft opened the specifications to this format in October 2007. We would welcome contributions. </p> <p> There are also projects for <a href="components/diagram/index.html">Visio (HDGF and XDGF)</a>, <a href="components/hmef/index.html">TNEF (HMEF)</a>, and <a href="components/hpbf/">Publisher (HPBF)</a>. </p> <p> As a general policy we collaborate as much as possible with other projects to provide this functionality. Examples include: <a href="https://xml.apache.org/cocoon">Cocoon</a> for which there are serializers for HSSF; <a href="https://www.openoffice.org">Open Office.org</a> with whom we collaborate in documenting the XLS format; and <a href="https://tika.apache.org/">Tika</a> / <a href="https://lucene.apache.org">Lucene</a>, for which we provide format interpretors. When practical, we donate components directly to those projects for POI-enabling them. </p> <a name="Why+should+I+use+Apache+POI%3F"></a> <h3 class="boxed">Why should I use Apache POI?</h3> <p> A major use of the Apache POI api is for <a href="text-extraction.html">Text Extraction</a> applications such as web spiders, index builders, and content management systems. </p> <p> So why should you use POIFS, HSSF or XSSF? </p> <p> You'd use POIFS if you had a document written in OLE 2 Compound Document Format, probably written using MFC, that you needed to read in Java. Alternatively, you'd use POIFS to write OLE 2 Compound Document Format if you needed to inter-operate with software running on the Windows platform. We are not just bragging when we say that POIFS is the most complete and correct implementation of this file format to date! </p> <p> You'd use HSSF if you needed to read or write an Excel file using Java (XLS). You'd use XSSF if you need to read or write an OOXML Excel file using Java (XLSX). The combined SS interface allows you to easily read and write all kinds of Excel files (XLS and XLSX) using Java. Additionally there is a specialized SXSSF implementation which allows to write very large Excel (XLSX) files in a memory optimized way. </p> <a name="Components"></a> <h3 class="boxed">Components</h3> <p> The Apache POI Project provides several component modules some of which may not be of interest to you. Use the information on our <a href="components/">Components</a> page to determine which jar files to include in your classpath. </p> </div> <a name="Contributing"></a> <h2 class="boxed">Contributing</h2> <div class="section"> <p> So you'd like to contribute to the project? Great! We need enthusiastic, hard-working, talented folks to help us on the project, no matter your background. So if you're motivated, ready, and have the time: Download the source from the <a href="devel/subversion.html">Subversion Repository</a>, <a href="devel/index.html">build the code</a>, join the <a href="help/index.html">mailing lists</a>, and we'll be happy to help you get started on the project! </p> <p> Please read our <a href="devel/guidelines.html">Contribution Guidelines</a>. When your contribution is ready submit a patch to our <a href="https://bz.apache.org/bugzilla/buglist.cgi?product=POI">Bug Database</a>. </p> </div> </div>  <div class="clearboth"> </div> </div> <div id="footer">  <div class="lastmodified"> <script type="text/javascript"></script> </div> <div class="copyright"> Copyright © 2001-2024 <a href="https://www.apache.org/">The Apache Software Foundation</a> <br> Apache, Apache POI, the Apache feather logo, and the Apache POI logos are trademarks of The Apache Software Foundation. </div> <div id="logos"> <a href="https://validator.w3.org/check/referer"><img style="height: 31px; width: 88px;" title="Valid HTML 4.01!" alt="Valid HTML 4.01!" src="skin/images/valid-html401.png" class="logoImage"></a><a href="https://jigsaw.w3.org/css-validator/check/referer"><img style="height: 31px; width: 88px;" title="Valid CSS!" alt="Valid CSS!" src="skin/images/vcss.png" class="logoImage"></a> </div> <div id="feedback"> Send feedback about the website to: <a id="feedbackto" href="mailto:dev@poi.apache.org?subject=Feedback%C2%A0index.html">dev@poi.apache.org</a> </div>  </div> </body> </html>