diff --git a/Adjust-handling-of-SchemaFactory.patch b/Adjust-handling-of-SchemaFactory.patch
new file mode 100644
index 0000000000000000000000000000000000000000..50a27d36e6b2467cfecd439e87d049917126e03d
--- /dev/null
+++ b/Adjust-handling-of-SchemaFactory.patch
@@ -0,0 +1,61 @@
+From 06f28db213744590c98feed69bda7d5f5c011b38 Mon Sep 17 00:00:00 2001
+From: PJ Fanning <fanningpj@apache.org>
+Date: Tue, 24 Sep 2019 18:33:37 +0000
+Subject: [PATCH] Bug 63768: Adjust handling of SchemaFactory
+
+git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1867484 13f79535-47bb-0310-9956-ffa450edef68
+---
+ .../poi/xssf/extractor/XSSFExportToXml.java   |  16 +-
+ .../xssf/extractor/TestXSSFExportToXML.java   | 532 +++++++++---------
+ test-data/spreadsheet/xxe_in_schema.xlsx      | Bin 0 -> 9801 bytes
+ 3 files changed, 286 insertions(+), 262 deletions(-)
+ create mode 100644 test-data/spreadsheet/xxe_in_schema.xlsx
+
+diff --git a/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java b/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
+index 9320a226db..53984fec28 100644
+--- a/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
++++ b/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
+@@ -28,6 +28,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
+ import java.util.Map;
+ import java.util.Vector;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.transform.OutputKeys;
+ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+@@ -241,9 +242,10 @@ public void exportToXML(OutputStream os, String encoding, boolean validate) thro
+      * @throws SAXException If validating the document fails
+      */
+     private boolean isValid(Document xml) throws SAXException{
+-        try{
++        try {
+             String language = "http://www.w3.org/2001/XMLSchema";
+             SchemaFactory factory = SchemaFactory.newInstance(language);
++            trySetFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ 
+             Source source = new DOMSource(map.getSchema());
+             Schema schema = factory.newSchema(source);
+@@ -313,7 +315,7 @@ private Node getNodeByXPath(String xpath,Node rootNode,Document doc,boolean crea
+         String[] xpathTokens = xpath.split("/");
+ 
+ 
+-        Node currentNode =rootNode;
++        Node currentNode = rootNode;
+         // The first token is empty, the second is the root node
+         for(int i =2; i<xpathTokens.length;i++) {
+ 
+@@ -535,4 +537,14 @@ private Node getComplexTypeNodeFromSchemaChildren(Node xmlSchema, Node complexTy
+         }
+         return complexTypeNode;
+     }
++
++    private static void trySetFeature(SchemaFactory sf, String feature, boolean enabled) {
++        try {
++            sf.setFeature(feature, enabled);
++        } catch (Exception e) {
++            LOG.log(POILogger.WARN, "SchemaFactory Feature unsupported", feature, e);
++        } catch (AbstractMethodError ame) {
++            LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", feature, ame);
++        }
++    }
+ }
diff --git a/apache-poi.spec b/apache-poi.spec
index 40b5b82fb2890dea4beb195b89b8b1d01a19b38c..b971acf1b729b9d51277057a495be18f4e27a7b0 100644
--- a/apache-poi.spec
+++ b/apache-poi.spec
@@ -1,11 +1,11 @@
 %global reldate 20170915
 Name:                apache-poi
 Version:             3.17
-Release:             1
+Release:             2
 Summary:             The Java API for Microsoft Documents
 License:             ASL 2.0 and (CC-BY and CC-BY-SA and W3C) and GPLv3
 URL:                 http://poi.apache.org/
-Source0:             http://archive.apache.org/dist/poi/release/src/poi-src-3.17-20170915.tar.gz
+Source0:             http://archive.apache.org/dist/poi/release/src/poi-src-%{version}-%{reldate}.tar.gz
 # These two zip files renamed after download
 #Source1: http://www.ecma-international.org/publications/files/ECMA-ST/Office%20Open%20XML%201st%20edition%20Part%204%20%28PDF%29.zip
 #Source2: http://www.ecma-international.org/publications/files/ECMA-ST/Office%20Open%20XML%201st%20edition%20Part%202%20%28PDF%29.zip
@@ -19,6 +19,7 @@ Source7:             http://uri.etsi.org/01903/v1.3.2/XAdES.xsd
 Source8:             http://uri.etsi.org/01903/v1.4.1/XAdESv141.xsd
 Patch1:              apache-poi-3.14-compile-xsds.patch
 Patch2:              apache-poi-3.14-build.patch
+Patch3:              Adjust-handling-of-SchemaFactory.patch 
 BuildArch:           noarch
 BuildRequires:       jacoco javapackages-local jmh jmh-generator-annprocess
 BuildRequires:       apache-commons-collections4 >= 4.1 apache-commons-codec apache-commons-logging
@@ -63,6 +64,7 @@ This package contains the API documentation for %{name}.
 %setup -q -n poi-%{version}
 %patch1
 %patch2
+%patch3 -p1
 find -name '*.class' -delete
 find -name '*.jar' -delete
 mkdir lib ooxml-lib
@@ -132,5 +134,8 @@ done
 %license LICENSE NOTICE
 
 %changelog
+* Tue Dec 1 2020 huanghaitao <huanghaitao8@huawei.com> - 3.17-2
+- Fix CVE-2019-12415
+
 * Thu Aug 13 2020 chengzihan <chengzihan2@huawei.com> - 3.17-1
 - Package init