Download the patches for your ColdFusion version from the following location:
- ColdFusion (2023 release) (MD5: 238e77125baf0e139bc7681a47b8e24bb6605e40)
- ColdFusion (2021 release) (MD5: 91d06c0a185634ac30f2bafceaaba330)
The ColdFusion serial filter allows Java classes or packages for deserializing Wddx packets.
The cfserialfilter.txt file ensures protection against insecure Wddx deserialization attacks. On the other hand, the already existing serialfilter.txt blocks Java deserialization by disallowing certain Java classes or packages.
As a security precaution, we have blocked ColdFusion internal classes from Wddx deserialization, except for a few classes needed for ColdFusion to run normally.
By default, the packages that ColdFusion allows for deserialization are:
java.util.Locale;java.util.Collections$EmptySet;java.util.HashMap;coldfusion.server.ConfigMap;coldfusion.util.FastHashtable;coldfusion.saml.SpConfiguration;coldfusion.saml.IdpConfiguration;coldfusion.runtime.CaseSensitiveStruct;coldfusion.scheduling.mod.ScheduleTagData;coldfusion.runtime.ArgumentCollection;coldfusion.util.CaseInsensitiveMap;coldfusion.runtime.AttributeCollection;coldfusion.sql.QueryTable;coldfusion.archivedeploy.Archive;coldfusion.scheduling.ScheduleTagData;coldfusion.osgi.to.ScheduleTagTO;
Use cfserialfilter.txt to customize the allowed list of classes.
Any class apart from the ones specified above are blocked for deserialization and the same are logged in wddx.log.
In serialfilter.txt, the packages that ColdFusion disallows by default for deserialization are:
!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**;
If your applications use packages or classes that are disallowed in cfserialfilter.txt, your application does not work as expected, and an error is logged in <CF_HOME>/logs/wddx.log.
Due to security reasons, com.sun.rowset.JdbcRowSetImpl is blocked for deserialization. Add the class or package in the file cfusion/lib/cfserialfilter.txt to override the behavior and allow deserialization.
Download the patches for your ColdFusion version from the following location:
Copy the downloaded file in <CF_HOME>/lib/updates and restart ColdFusion.
Run your applications.
You'll find the list of packages or classes in <CF_HOME>/logs/wddx.log file.
Delete the patch after you obtain the list of packages.
If you want to apply the update, perform the following steps:
Apply the update.
If a deserialization vulnerability is reported in public domains for the packages or classes identified, we recommend not adding those packages or classes to the allowed list.
Open the file cfserialfilter.txt in <CF_HOME>/lib.
If you want to allow a class or package, add it in the format:
The order in which the packages or classes are listed is important. For example, if you've allowed the package java.util.**, and you further want to block a class java.util.Date, within that package, you can do so by specifying !java.util.Date;java.util.**. If the order is reversed in this example, then by default, all the classes within the package will be allowed.
Restart ColdFusion.