Java Deserialization Vulnerability with Service Catalog
search cancel

Java Deserialization Vulnerability with Service Catalog

book

Article ID: 7834

calendar_today

Updated On:

Products

CA Service Catalog

Issue/Introduction

Security software tools ( for example : Qualys  or BurpSuite ) detected the "“Java Deserialization Vulnerability”    on catalog server 

Environment

Service Catalog 12.9 ,14.1 , 17.0

Cause

the Java Deserialization Vulnerability detected by security software  is actually from the third part library : commons-collections.jar ( from Apache Software Foundation ) .   The version of this library shipped with catalog 12.9 , 14.1 and 17.0 is  3.2.1 .    

It is recommended to use 3.2.2 version since version 3.2.2  of commons-collections.jar addressed several security vulnerability issues including "Java Deserialization Vulnerability"  in version 3.2.1 .

Resolution

1. download commons-collections-3.2.2-bin.zip from download commons-collections library
2. uncompress it to get commons-collections-3.2.2.jar 
3. on the  catalog server : 
   1) create a backup folder on the desktop 
   2) stop catalog service 
   3) move the original commons-collections.jar file under USM_HOME\view\webapps\usm\WEB-INF\lib\ into that backup folder   
   4) rename the downloaded commons-collections-3.2.2.jar as commons-collections.jar , and place this commons-collections.jar into USM_HOME\view\webapps\usm\WEB-INF\lib\ to replace the original one 
   5) restart catalog service 

Additional Information

About  Java Deserialization Vulnerability

Java JMX Agent Insecure Configuration, please refer to below kb:

https://knowledge.broadcom.com/external/article/130586/java-jmx-agent-insecure-configuration.html