Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Upcomming Trips

Social Networks

Popular Articles

Winmail.dat

Who am I?

Feeds

 Content
 Comments

Recent Entries

HCL Notes/Domino - Apache
Next HCL Domino Events ne
Webinar : HCL Notes 14.5
Next Domino Events near y
HCL Domino 14.5 - Join me

Archives

October 2025 (1)
September 2025 (1)
July 2025 (1)
June 2025 (2)
April 2025 (1)
January 2025 (1)
December 2024 (1)
November 2024 (2)
October 2024 (2)
September 2024 (1)
July 2024 (1)
May 2024 (2)
April 2024 (3)
March 2024 (1)
February 2024 (2)
January 2024 (5)
December 2023 (3)
November 2023 (2)
October 2023 (1)
September 2023 (4)
June 2023 (1)
April 2023 (3)
March 2023 (1)
February 2023 (1)
July 2022 (1)
September 2021 (1)
August 2021 (2)
May 2021 (1)
February 2021 (3)
January 2021 (1)
November 2020 (1)
October 2020 (2)
September 2020 (2)
March 2020 (1)
November 2019 (1)
August 2019 (1)
July 2019 (1)
March 2019 (1)
December 2018 (1)
November 2018 (1)
October 2018 (1)
September 2018 (1)
May 2018 (1)
January 2018 (1)
December 2017 (1)
November 2017 (1)
September 2017 (1)
March 2017 (2)
February 2017 (5)
November 2016 (1)
September 2016 (4)
April 2016 (1)
March 2016 (7)
January 2016 (1)
December 2015 (1)
November 2015 (3)
August 2015 (1)
July 2015 (2)
June 2015 (5)
May 2015 (5)
March 2015 (3)
February 2015 (2)
January 2015 (4)
December 2014 (3)
November 2014 (1)
September 2014 (4)
August 2014 (1)
May 2014 (4)
April 2014 (1)
March 2014 (2)
February 2014 (3)
January 2014 (2)
October 2013 (1)
September 2013 (1)
August 2013 (2)
July 2013 (2)
March 2013 (2)
February 2013 (4)
January 2013 (3)
December 2012 (2)
November 2012 (1)
October 2012 (2)
September 2012 (4)
August 2012 (3)
July 2012 (1)
June 2012 (6)
May 2012 (1)
February 2012 (2)
January 2012 (1)
December 2011 (4)
November 2011 (2)
September 2011 (1)
May 2011 (2)
March 2011 (1)
January 2011 (1)
November 2010 (5)
October 2010 (2)
September 2010 (2)
August 2010 (1)
July 2010 (3)
June 2010 (1)

HCL Notes/Domino - Apache Tika Vulnerability (CVE-2025-54988)

Thomas Hampel
 8 October 2025
Certain versions of HCL Notes and Domino (but not all) are affected by the vulnerability in Apache Tika (CVE-2025-54988)
Apache Tika has an issue with indexing PDF attachments.

For context, the criticality for HCL Notes and Domino might be lower than what the CVE rating indicates because these products usually run in a non-priviliged (non-Root) environment.

Background:
Apache Tika is used in Domino for full-text indexing when:
1. indexing of attachments is enabled
>and<
2. conversion filters is enabled

see Database Properties:
Image:HCL Notes/Domino - Apache Tika Vulnerability (CVE-2025-54988)

Image:HCL Notes/Domino - Apache Tika Vulnerability (CVE-2025-54988)

Apache Tika is based on Java and updated versions of Tika have already been published by the maintainers of Tika for Java 11+
Just replacing the Tika files manually would technically work with Domino 14.0 and higher, but not with Domino 12.0.x and below as those versions are using Java 8
Tika no longer supports Java 8 - see this
Furthermore it is not recommended to manually replace files in the HCL product as it will break future updates and fixes because the installer is looking for file checksums.

Mitigation actions
Have been published already in these technotes:
- HCL Notes: KB0124165
- HCL Domino: KB0124164

However, customers are asking when they can expect a fix for the particular version they have in use.

We have just published a technote to set expectations for when (and if) a fix will be made available:
see KB0124451 - How to Configure Notes and Domino To Protect Against Apache Tika Vulnerability CVE-2025-54988

Updates are going to be provided only for the latest fixpack of each product version.

Current status:
The issue is fixed in:
- Download - Notes/Domino 14.5 Fix Pack 1
- Download - Notes/Domino 14.0 Fix Pack 4 Interim Fix 1 - for Win/Linux/AIX

Next up is to provide Fix Pack 7 for 12.0.2 FP7
additional details are provided in KB0124451

References:
- How to Configure Notes and Domino To Protect Against Apache Tika Vulnerability CVE-2025-54988
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124451

- Security Bulletin: HCL Notes is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124165

- Security Bulletin: HCL Domino is affected by an XML External Entity (XXE) vulnerability in Apache Tika (CVE-2025-54988)
https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124164

- Apache Tike Roadmap / End of life for Tika on Java8
https://cwiki.apache.org/confluence/display/TIKA/Tika+Roadmap+--+2.x%2C+3.x+and+Beyond
Comments [0]
Tagged with: Domino Security
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.