HCL Notes/Domino - Apache Tika Vulnerability (CVE-2025-54988)
8 October 2025
Thomas Hampel
Certain versions of HCL Notes and Domino (but not all) are affected by the vulnerability in Apache Tika (CVE-2025-54988)
Apache Tika has an issue with indexing PDF attachments.
For context, the criticality for HCL Notes and Domino might be lower than what the CVE rating indicates because these products usually run in a non-priviliged (non-Root) environment.
Background:
Apache Tika is used in Domino for full-text indexing when:
1. indexing of attachments is enabled
>and<
2. conversion filters is enabled
see Database Properties:
Apache Tika is based on Java and updated versions of Tika have already been published by the maintainers of Tika for Java 11+
Just replacing the Tika files manually would technically work with Domino 14.0 and higher, but not with Domino 12.0.x and below as those versions are using Java 8
Tika no longer supports Java 8 - see this
Furthermore it is not recommended to manually replace files in the HCL product as it will break future updates and fixes because the installer is looking for file checksums.
Mitigation actions
Have been published already in these technotes:
- HCL Notes: KB0124165
- HCL Domino: KB0124164
However, customers are asking when they can expect a fix for the particular version they have in use.
We have just published a technote to set expectations for when (and if) a fix will be made available:
see KB0124451 - How to Configure Notes and Domino To Protect Against Apache Tika Vulnerability CVE-2025-54988
Updates are going to be provided only for the latest fixpack of each product version.
Current status:
The issue is fixed in:
- Download - Notes/Domino 14.5 Fix Pack 1
- Download - Notes/Domino 14.0 Fix Pack 4 Interim Fix 1 - for Win/Linux/AIX
Next up is to provide an Interim Fix on top of 12.0.2 FP7
additional details are provided in KB0124451
References:
- How to Configure Notes and Domino To Protect Against Apache Tika Vulnerability CVE-2025-54988
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124451
- Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124165
- Security Bulletin: HCL Domino is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124164
- Apache Tike Roadmap / End of life for Tika on Java8
https://cwiki.apache.org/confluence/display/TIKA/Tika+Roadmap+--+2.x%2C+3.x+and+Beyond
Certain versions of HCL Notes and Domino (but not all) are affected by the vulnerability in Apache Tika (CVE-2025-54988)
Apache Tika has an issue with indexing PDF attachments.
For context, the criticality for HCL Notes and Domino might be lower than what the CVE rating indicates because these products usually run in a non-priviliged (non-Root) environment.
Background:
Apache Tika is used in Domino for full-text indexing when:
1. indexing of attachments is enabled
>and<
2. conversion filters is enabled
see Database Properties:
Apache Tika is based on Java and updated versions of Tika have already been published by the maintainers of Tika for Java 11+
Just replacing the Tika files manually would technically work with Domino 14.0 and higher, but not with Domino 12.0.x and below as those versions are using Java 8
Tika no longer supports Java 8 - see this
Furthermore it is not recommended to manually replace files in the HCL product as it will break future updates and fixes because the installer is looking for file checksums.
Mitigation actions
Have been published already in these technotes:
- HCL Notes: KB0124165
- HCL Domino: KB0124164
However, customers are asking when they can expect a fix for the particular version they have in use.
We have just published a technote to set expectations for when (and if) a fix will be made available:
see KB0124451 - How to Configure Notes and Domino To Protect Against Apache Tika Vulnerability CVE-2025-54988
Updates are going to be provided only for the latest fixpack of each product version.
Current status:
The issue is fixed in:
- Download - Notes/Domino 14.5 Fix Pack 1
- Download - Notes/Domino 14.0 Fix Pack 4 Interim Fix 1 - for Win/Linux/AIX
Next up is to provide an Interim Fix on top of 12.0.2 FP7
additional details are provided in KB0124451
References:
- How to Configure Notes and Domino To Protect Against Apache Tika Vulnerability CVE-2025-54988
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124451
- Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124165
- Security Bulletin: HCL Domino is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124164
- Apache Tike Roadmap / End of life for Tika on Java8
https://cwiki.apache.org/confluence/display/TIKA/Tika+Roadmap+--+2.x%2C+3.x+and+Beyond
Next HCL Domino Events near you - September 2025
1 September 2025
Thomas Hampel
Hi Folks,
I guess many of you enjoyed the summer and probably took some time off for vacation.
Now back to business! It's time to level up your skills and meet like-minded professionals.
How about joining a conference or meetup near you to connect?
Here is a list of events just for the next few weeks:
12. September 2025 - Denmark/Ringsted - Notes.net
Notes.net Partner Meetup
18. September 2025 - South Korea / Seoul - Korea Domino User Group Meetup 2025
Location: WeWork Seoul Square
18. September 2025 - Japan/Osaka - DominoHub
=> register here
24. September 2025 - Germany / Karlsruhe - n-komm Connect
=> zur Anmeldung
25. September 2025 - Germany / München - HCL Roadshow 2025
=> zur Anmeldung
and there is more to come
in October with Let's Connect 2025 in Denmark/Copenhagen and Sweden/Stockholm
and finally I want to note that Accept IT also just announced their annual regional conferences
2. Dec. 2025 - Germany/Paderborn
4. Dec. 2025 - Germany/Düsseldorf
9. Dec. 2025 - Germany/Leipzig
11. Dec 2025 - Germany/Stuttgart
for more information see AcceptIT Anwendertage 2025
So pack your bags and join in for awesome talks and news around Domino!
Hi Folks,
I guess many of you enjoyed the summer and probably took some time off for vacation.
Now back to business! It's time to level up your skills and meet like-minded professionals.
How about joining a conference or meetup near you to connect?
Here is a list of events just for the next few weeks:
12. September 2025 - Denmark/Ringsted - Notes.net
Notes.net Partner Meetup
18. September 2025 - South Korea / Seoul - Korea Domino User Group Meetup 2025
Location: WeWork Seoul Square
18. September 2025 - Japan/Osaka - DominoHub
=> register here
24. September 2025 - Germany / Karlsruhe - n-komm Connect
=> zur Anmeldung
25. September 2025 - Germany / München - HCL Roadshow 2025
=> zur Anmeldung
and there is more to come
in October with Let's Connect 2025 in Denmark/Copenhagen and Sweden/Stockholm
and finally I want to note that Accept IT also just announced their annual regional conferences
2. Dec. 2025 - Germany/Paderborn
4. Dec. 2025 - Germany/Düsseldorf
9. Dec. 2025 - Germany/Leipzig
11. Dec 2025 - Germany/Stuttgart
for more information see AcceptIT Anwendertage 2025
So pack your bags and join in for awesome talks and news around Domino!
Tagged with: Conference
Webinar : HCL Notes 14.5 Feature Highlights an Enhancements
17 July 2025
Thomas Hampel
Webinar anouncement
HCL Notes 14.5: Feature Highlights and Enhancements
We will explore the latest updates designed to improve performance, usability, and user experience.
This webinar will cover key enhancements in the product such as the new Custom Application Builder, improved PWA and web client integration, and other improvements.
Learn how these updates can streamline your workflows and modernize your HCL Notes environment.
Whether you're an admin, developer, or end user, this webinar will provide valuable insights into what’s new and what to expect in Notes 14.5.
When?
Tuesday, 29 July 2025
16:00 CET - 17:00 CET
Registration Link
https://attendee.gotowebinar.com/register/3489002631583294813
Webinar anouncement
HCL Notes 14.5: Feature Highlights and Enhancements
We will explore the latest updates designed to improve performance, usability, and user experience.
This webinar will cover key enhancements in the product such as the new Custom Application Builder, improved PWA and web client integration, and other improvements.
Learn how these updates can streamline your workflows and modernize your HCL Notes environment.
Whether you're an admin, developer, or end user, this webinar will provide valuable insights into what’s new and what to expect in Notes 14.5.
When?
Tuesday, 29 July 2025
16:00 CET - 17:00 CET
Registration Link
https://attendee.gotowebinar.com/register/3489002631583294813
Tagged with: Community
Next Domino Events near you: DominoHUB (Tokyo/Japan) and DACHNUG in (Vienna/Austria)
17 June 2025
Thomas Hampel
Busy days ahead with two conferences on (almost) opposite time zones.
See me next week in Tokyo (Japan) and the week after in Vienna (Austria)
1. DominoHUB - The premiere event for Japan
With this years event theme "#DX (Domino Experience) - The Truth About Domino” the conference will be held in Tokyo to delve deeper into the latest information and usage of HCL Notes/Domino.
The power and potential of Domino will be introduced with actual case studies, and the latest technology trends will be explained.
This is a great opportunity to learn the truth about Domino and accelerate your business DX!
19. + 20. June 2025
https://www.dominohub.net/
I'm going to present on our new features in Domino 14.5 together with my colleague Matsuura-san
2. DACHNUG - Expert knowledge, networking & a unique supporting program
DACHNUG is far more than just a classic specialist conference ‐ it is the central meeting place for the German-speaking Notes/Domino and HCL software community.
This is where experts, decision-makers and users come together to exchange ideas, learn from each other and make valuable contacts.
23.-25.June.2025 ‐ Vienna / Austria
https://dnug.de/en/dachnug/
At this conference, you can find me in several sessions:
(1.) Carsten Jenn (TimeToAct) and me will host a workshop about Domino IQ,
(2.) Wannes Rams (ISW) and me will talk about Sovereign Cloud (a very hot topic these days!)
of course I'll be presenting (3.) the Domino Roadmap on Wednesday and finally will do a deep dive on (4.) Domino IQ together with Daniel Nashed
Safe Travels & See you soon !
またね
Busy days ahead with two conferences on (almost) opposite time zones.
See me next week in Tokyo (Japan) and the week after in Vienna (Austria)
1. DominoHUB - The premiere event for Japan
With this years event theme "#DX (Domino Experience) - The Truth About Domino” the conference will be held in Tokyo to delve deeper into the latest information and usage of HCL Notes/Domino.
The power and potential of Domino will be introduced with actual case studies, and the latest technology trends will be explained.
This is a great opportunity to learn the truth about Domino and accelerate your business DX!
19. + 20. June 2025
https://www.dominohub.net/
I'm going to present on our new features in Domino 14.5 together with my colleague Matsuura-san
2. DACHNUG - Expert knowledge, networking & a unique supporting program
DACHNUG is far more than just a classic specialist conference ‐ it is the central meeting place for the German-speaking Notes/Domino and HCL software community.
This is where experts, decision-makers and users come together to exchange ideas, learn from each other and make valuable contacts.
23.-25.June.2025 ‐ Vienna / Austria
https://dnug.de/en/dachnug/
At this conference, you can find me in several sessions:
(1.) Carsten Jenn (TimeToAct) and me will host a workshop about Domino IQ,
(2.) Wannes Rams (ISW) and me will talk about Sovereign Cloud (a very hot topic these days!)
of course I'll be presenting (3.) the Domino Roadmap on Wednesday and finally will do a deep dive on (4.) Domino IQ together with Daniel Nashed
Safe Travels & See you soon !
またね
HCL Domino 14.5 - Join me for the Launch Event on Tuesday June 17th at 16:00 CET
15 June 2025
Thomas Hampel
HCL Domino 14.5 is (almost) here, and it’s built for what matters now:
Private AI, Secure Collaboration, and complete control over your data.
Join us for the live launch on June 17 at 16:00 CET to explore what’s new in Domino 14.5 and Sametime 12.0.3, including:Smarter chat, persistent meetings Full deployment control: On-prem or trusted cloud
Register here
The launch event is scheduled to take place online at Linkedin. To join, you'll need to have a Linkedin account.
HCL Domino 14.5 is (almost) here, and it’s built for what matters now:
Private AI, Secure Collaboration, and complete control over your data.
Join us for the live launch on June 17 at 16:00 CET to explore what’s new in Domino 14.5 and Sametime 12.0.3, including:
- Domino IQ: Secure AI, behind your firewall
Register here
The launch event is scheduled to take place online at Linkedin. To join, you'll need to have a Linkedin account.