I remember going through this advisory and patching my vRealize Orchestrator 6 machines earlier this year.  My security team just finished a scan of some new vSphere Data Protection 6.1.2 instances I stood up and said they also have the same vulnerability (rated "high", CVSS=10).  Unfortunately, the advisory doesn't list VDP.  I looked through all the other advisories for VDP for the past year or two, but don't see this one listed anywhere.  I found commons-collections-3.2.1.jar in several places on the VDP machines, but in one particular instance, it looks like an expanded .war file also contains the vulnerable .jar file as well (/usr/local/avamar/lib/jetty/avi.war).  I'm ok with swapping out the existing .jar's with commons-collections-3.2.2.jar, but not monkeying around with a .war file.  Has anyone ran into this issue?