Java Deserialization Vulnerability with Service Catalog

Document ID:  TEC1702119
Last Modified Date:  08/09/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Service Catalog

Releases

  • CA Service Catalog:Release:12.9
  • CA Service Catalog:Release:14.1
  • CA Service Catalog:Release:17.0

Components

  • CA SERVICE CATALOG:USVCT
Issue:

Security software tools ( for example : Qualys  or BurpSuite ) detected the "“Java Deserialization Vulnerability”    on catalog server 

Environment:
Service Catalog 12.9 ,14.1 , 17.0
Cause:

the Java Deserialization Vulnerability detected by security software  is actually from the third part library : commons-collections.jar ( from Apache Software Foundation ) .   The version of this library shipped with catalog 12.9 , 14.1 and 170 is  3.2.1 .     It is recommended to use 3.2.2 version since version 3.2.2  of commons-collections.jar addressed several security vulnerability issues including "Java Deserialization Vulnerability"  in version 3.2.1 .

Workaround:

1. download commons-collections-3.2.2-bin.zip from download commons-collections library
2. uncompress it to get commons-collections-3.2.2.jar 
3. on the  catalog server : 
   1) create a backup folder on the desktop 
   2) stop catalog service 
   3) move the original commons-collections.jar file under USM_HOME\view\webapps\usm\WEB-INF\lib\ into that backup folder   
   4) rename the downloaded commons-collections-3.2.2.jar as commons-collections.jar , and place this commons-collections.jar into USM_HOME\view\webapps\usm\WEB-INF\lib\ to replace the original one 
   5) restart catalog service 

Additional Information:

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >