ColdFusion serialfilter file

The ColdFusion serial filter allows Java classes or packages for deserializing Wddx packets.

The cfserialfilter.txt file ensures protection against insecure Wddx deserialization attacks. On the other hand, the already existing serialfilter.txt blocks Java deserialization by disallowing certain Java classes or packages.

As a security precaution, we have blocked ColdFusion internal classes from Wddx deserialization, except for a few classes needed for ColdFusion to run normally.

By default, the packages that ColdFusion allows for deserialization are:

java.util.Locale;java.util.Collections$EmptySet;java.util.HashMap;coldfusion.server.ConfigMap;coldfusion.util.FastHashtable;coldfusion.saml.SpConfiguration;coldfusion.saml.IdpConfiguration;coldfusion.runtime.CaseSensitiveStruct;coldfusion.scheduling.mod.ScheduleTagData;coldfusion.runtime.ArgumentCollection;coldfusion.util.CaseInsensitiveMap;coldfusion.runtime.AttributeCollection;coldfusion.sql.QueryTable;coldfusion.archivedeploy.Archive;coldfusion.scheduling.ScheduleTagData;coldfusion.osgi.to.ScheduleTagTO;

Use cfserialfilter.txt to customize the allowed list of classes.

Any class apart from the ones specified above are blocked for deserialization and the same are logged in wddx.log.

In serialfilter.txt, the packages that ColdFusion disallows by default for deserialization are:

!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**;

What happens if your application uses additional packages?

If your applications use packages or classes that are disallowed in cfserialfilter.txt, your application does not work as expected, and an error is logged in <CF_HOME>/logs/wddx.log.

Due to security reasons, com.sun.rowset.JdbcRowSetImpl is blocked for deserialization. Add the class or package in the file cfusion/lib/cfserialfilter.txt to override the behavior and allow deserialization.

How can you identify external Java packages or classes?

  1. Download the patches for your ColdFusion version from the following location:

  2. Copy the downloaded file in <CF_HOME>/lib/updates and restart ColdFusion.

  3. Run your applications.

    You'll find the list of packages or classes in <CF_HOME>/logs/wddx.log file.

  4. Delete the patch after you obtain the list of packages.

What to do once additional packages or/and classes are identified?

If you want to apply the update, perform the following steps:

  1. Apply the update.

  2. If a deserialization vulnerability is reported in public domains for the packages or classes identified, we recommend not adding those packages or classes to the allowed list.

  3. Open the file cfserialfilter.txt in <CF_HOME>/lib.

  4. If you want to allow a class or package, add it in the format:

    • Class: java.<.package_name>.<class_name>
    • Package: java.<package_name>.**
  5. cfserialfilter can also be used to disallow packages/classes. To do so, follow the below format:
    • Class: !java.<.package_name>.<class_name>
    • Package: !java.<package_name>.**
    Note:

    The order in which the packages or classes are listed is important. For example, if you've allowed the package java.util.**, and you further want to block a class  java.util.Date, within that package, you can do so by specifying !java.util.Date;java.util.**. If the order is reversed in this example, then by default, all the classes within the package will be allowed.

  6. Restart ColdFusion. 

Document revision history

  • 12 March 2024: Before Update 7, the packages allowed for wddx deserialization were taken from the cfserialfilter.txt file. With Update 7, the list of allowed packages is now used as the default allowed list in the code to prevent accidental exposure to any wddx deserialization vulnerability. Also, in this update, a new package coldfusion.osgi.to.ScheduleTagTO has been added to the default list of allowed packages.
    The cfserialfilter.txt can still be used to specify a customized list of packages/new packages considered safe for wddx deserialization. Note that the packages added to cfserialfilter.txt will always be given higher priority.
  • References to ColdFusion 2023 (Update 3) and ColdFusion (2021) Update 9 were removed.
  • Updated the default for cfserialfilter.

Get help faster and easier

New user?