Security software tools ( for example : Qualys or BurpSuite ) detected the "“Java Deserialization Vulnerability” on catalog server
the Java Deserialization Vulnerability detected by security software is actually from the third part library : commons-collections.jar ( from Apache Software Foundation ) . The version of this library shipped with catalog 12.9 , 14.1 and 17.0 is 3.2.1 .
It is recommended to use 3.2.2 version since version 3.2.2 of commons-collections.jar addressed several security vulnerability issues including "Java Deserialization Vulnerability" in version 3.2.1 .
1. download commons-collections-3.2.2-bin.zip from download commons-collections library
2. uncompress it to get commons-collections-3.2.2.jar
3. on the catalog server :
1) create a backup folder on the desktop
2) stop catalog service
3) move the original commons-collections.jar file under USM_HOME\view\webapps\usm\WEB-INF\lib\ into that backup folder
4) rename the downloaded commons-collections-3.2.2.jar as commons-collections.jar , and place this commons-collections.jar into USM_HOME\view\webapps\usm\WEB-INF\lib\ to replace the original one
5) restart catalog service
About Java Deserialization Vulnerability
Java JMX Agent Insecure Configuration, please refer to below kb:
https://knowledge.broadcom.com/external/article/130586/java-jmx-agent-insecure-configuration.html