diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index 26f4d050c7e..4db3614ae60 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -32,6 +32,9 @@ Release 2.6.3 - UNRELEASED
 
     HADOOP-12526. there are duplicate dependency definitions in pom's (sjlee)
 
+    HADOOP-12577. Bumped up commons-collections version to 3.2.2 to address a
+    security flaw. (Wei-Chiu Chuang via vinodkv)
+
 Release 2.6.2 - 2015-10-28
 
   INCOMPATIBLE CHANGES
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index 4adb42b8767..6cd502ae440 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -659,7 +659,7 @@
       <dependency>
         <groupId>commons-collections</groupId>
         <artifactId>commons-collections</artifactId>
-        <version>3.2.1</version>
+        <version>3.2.2</version>
       </dependency>
       <dependency>
         <groupId>commons-configuration</groupId>