How can I fix the Apache Commons Collection 3.1 Java object de-serialisation vulnerability if I have CA SSO 12.52 SP1?

Document ID:  TEC1857407
Last Modified Date:  06/15/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details


  • CA Single Sign-On



Apache have reported a vulnerability in the Commons Collection library as per 

This affects the 3.1 version of the library and it is corrected in version 3.2.2 and 4.1

According to the release notes for CA Single Sign On 12.52 SP1

Common Collections 3.1 is used here



Is there any fix to address the Commons Collection library java de-serialisation vulnerability discovered in version 3.1 for CA Single Sign On 12.52 SP1?


This has been fixed and verified in R12.52 SP1 CR06 for Policy Server, AdminUI and Secure Proxy Server in a variety of systems. Please upgrade to this release to correct this.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255


Not what you were looking for?

Search Again >

Product Information

Support by Product >


Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required


We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{}} will be helping you today.

    View Profile

  • Transfered to {{}}

    {{}} joined the conversation

    {{}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1]}} has ended.
    Thank you for your interest in CA.

    Rate Your Chat Experience.


agent is typing