A vulnerability has been found in a Service Desk Manager server. The vulnerability is present in the commons-collections-3.2.1.jar located in the SQL Server Management Studio installation folder.

Example:

/Program Files (x86)/Microsoft SQL Server Management Studio 18/Common7/IDE/CommonExtensions/Microsoft/SSIS/150/Extensions/Common/Jars/commons-collections-3.2.1.jar

or

/Program Files (x86)/Microsoft SQL Server Management Studio 19/Common7/IDE/CommonExtensions/Microsoft/SSIS/160/Extensions/Common/Jars/commons-collections-3.2.1.jar

Service Desk Manager 17.x

SQL Server

This vulnerability is related to CVE-2015-7501 that is present in a JAR file installed by SQL Server Management Studio (SSMS).

Microsoft SQL Server Management Studio is a listed component for Service Desk installs, but was determined in testing to be an optional component for Service Desk operations.

To resolve the issue there are two options:

Option 1) Uninstall SQL Server Management Studio but ensure the client tools remain installed.

Option 2) Upgrade SQL Server Management Studio to version 22 or later, where commons-collections-3.2.1.jar is not present.