The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
poi.apache.org/changes.html
rhn.redhat.com/errata/RHSA-2014-1370.html
rhn.redhat.com/errata/RHSA-2014-1398.html
rhn.redhat.com/errata/RHSA-2014-1399.html
rhn.redhat.com/errata/RHSA-2014-1400.html
www-01.ibm.com/support/docview.wss?uid=swg21996759
www.apache.org/dist/poi/release/RELEASE-NOTES.txt
exchange.xforce.ibmcloud.com/vulnerabilities/95770
github.com/apache/poi
github.com/apache/poi/commit/103b45073c7b504236588b3acc146530205af53c
github.com/apache/poi/commit/236c3c52a9b90688b2e57ec503559409e29f33ed
github.com/apache/poi/commit/6050a68d5adfb4ffef1edb778add09bcee32d1c3
github.com/apache/poi/commit/d72bd78c19dfb7b57395a66ae8d9269d59a87bd2
github.com/apache/poi/commit/eabb6a924be24abb879372d0bc967e0d316b2cf8
lucene.apache.org/solr/solrnews.html#18-august-2014-recommendation-to-update-apache-poi-in-apache-solr-480-481-and-490-installations
nvd.nist.gov/vuln/detail/CVE-2014-3529