How can I fix the Apache Commons Collection 3.1 Java object de-serialisation vulnerability if I have CA SSO 12.52 SP1?

book

Article ID: 14751

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Apache have reported a vulnerability in the Commons Collection library as per

https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread 

This affects the 3.1 version of the library and it is corrected in version 3.2.2 and 4.1

According to the release notes for CA Single Sign On 12.52 SP1

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/third-party-software-acknowledgments

Common Collections 3.1 is used here

 



Is there any fix to address the Commons Collection library java de-serialisation vulnerability discovered in version 3.1 for CA Single Sign On 12.52 SP1?

Environment

Release:
Component: SMPLC

Resolution

This has been fixed and verified in R12.52 SP1 CR06 for Policy Server, AdminUI and Secure Proxy Server in a variety of systems. Please upgrade to this release to correct this.