Java Deserialization Vulnerability with Service Catalog

Document ID : KB000007834
Last Modified Date : 14/02/2018
Show Technical Document Details

Security software tools ( for example : Qualys  or BurpSuite ) detected the "“Java Deserialization Vulnerability”    on catalog server 

Service Catalog 12.9 ,14.1 , 17.0

the Java Deserialization Vulnerability detected by security software  is actually from the third part library : commons-collections.jar ( from Apache Software Foundation ) .   The version of this library shipped with catalog 12.9 , 14.1 and 170 is  3.2.1 .     It is recommended to use 3.2.2 version since version 3.2.2  of commons-collections.jar addressed several security vulnerability issues including "Java Deserialization Vulnerability"  in version 3.2.1 .


1. download from download commons-collections library
2. uncompress it to get commons-collections-3.2.2.jar 
3. on the  catalog server : 
   1) create a backup folder on the desktop 
   2) stop catalog service 
   3) move the original commons-collections.jar file under USM_HOME\view\webapps\usm\WEB-INF\lib\ into that backup folder   
   4) rename the downloaded commons-collections-3.2.2.jar as commons-collections.jar , and place this commons-collections.jar into USM_HOME\view\webapps\usm\WEB-INF\lib\ to replace the original one 
   5) restart catalog service 

Additional Information:

about   Java Deserialization Vulnerability