Java Deserialization Vulnerability with Service Catalog
search cancel

Java Deserialization Vulnerability with Service Catalog


Article ID: 7834


Updated On:


CA Service Catalog


Security software tools ( for example : Qualys  or BurpSuite ) detected the "“Java Deserialization Vulnerability”    on catalog server 


Service Catalog 12.9 ,14.1 , 17.0


the Java Deserialization Vulnerability detected by security software  is actually from the third part library : commons-collections.jar ( from Apache Software Foundation ) .   The version of this library shipped with catalog 12.9 , 14.1 and 17.0 is  3.2.1 .    

It is recommended to use 3.2.2 version since version 3.2.2  of commons-collections.jar addressed several security vulnerability issues including "Java Deserialization Vulnerability"  in version 3.2.1 .


1. download from download commons-collections library
2. uncompress it to get commons-collections-3.2.2.jar 
3. on the  catalog server : 
   1) create a backup folder on the desktop 
   2) stop catalog service 
   3) move the original commons-collections.jar file under USM_HOME\view\webapps\usm\WEB-INF\lib\ into that backup folder   
   4) rename the downloaded commons-collections-3.2.2.jar as commons-collections.jar , and place this commons-collections.jar into USM_HOME\view\webapps\usm\WEB-INF\lib\ to replace the original one 
   5) restart catalog service 

Additional Information

About  Java Deserialization Vulnerability

Java JMX Agent Insecure Configuration, please refer to below kb: