diff --git a/lucene/ivy-versions.properties b/lucene/ivy-versions.properties
index 31c125d9cfe..59ed4702373 100644
--- a/lucene/ivy-versions.properties
+++ b/lucene/ivy-versions.properties
@@ -61,7 +61,7 @@ com.sun.jersey.version = 1.9
 /commons-beanutils/commons-beanutils = 1.8.3
 /commons-cli/commons-cli = 1.2
 /commons-codec/commons-codec = 1.10
-/commons-collections/commons-collections = 3.2.1
+/commons-collections/commons-collections = 3.2.2
 /commons-configuration/commons-configuration = 1.6
 /commons-digester/commons-digester = 2.1
 /commons-fileupload/commons-fileupload = 1.2.1
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 1fe32f11295..7bc02438737 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -515,6 +515,8 @@ Other Changes
 * SOLR-8286: Remove instances of solr.hdfs.blockcache.write.enabled from tests
   and docs (Gregory Chanan)
 
+* SOLR-8269: Upgrade commons-collections to 3.2.2. This fixes a known serialization vulnerability (janhoy)
+
 ==================  5.3.1 ==================
 
 Bug Fixes
diff --git a/solr/licenses/commons-collections-3.2.1.jar.sha1 b/solr/licenses/commons-collections-3.2.1.jar.sha1
deleted file mode 100644
index 7d2de1eb0f2..00000000000
--- a/solr/licenses/commons-collections-3.2.1.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-761ea405b9b37ced573d2df0d1e3a4e0f9edc668
diff --git a/solr/licenses/commons-collections-3.2.2.jar.sha1 b/solr/licenses/commons-collections-3.2.2.jar.sha1
new file mode 100644
index 00000000000..3284fcae413
--- /dev/null
+++ b/solr/licenses/commons-collections-3.2.2.jar.sha1
@@ -0,0 +1 @@
+8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5