ColdFusion serialfilter file

The ColdFusion serial filter allows Java classes or packages for deserializing Wddx packets.

The cfserialfilter.txt file ensures protection against insecure Wddx deserialization attacks. On the other hand, the already existing serialfilter.txt blocks Java deserialization by disallowing certain Java classes or packages.

As a security precaution, we have blocked ColdFusion internal classes from Wddx deserialization, except for a few classes needed for ColdFusion to run normally.

By default, the packages that ColdFusion allows for deserialization are:

java.util.Locale;java.util.Collections$EmptySet;java.util.HashMap;coldfusion.server.ConfigMap;coldfusion.util.FastHashtable;coldfusion.saml.SpConfiguration;coldfusion.saml.IdpConfiguration;coldfusion.runtime.CaseSensitiveStruct;coldfusion.scheduling.mod.ScheduleTagData;coldfusion.runtime.ArgumentCollection;coldfusion.util.CaseInsensitiveMap;coldfusion.runtime.AttributeCollection;coldfusion.sql.QueryTable;coldfusion.archivedeploy.Archive;coldfusion.scheduling.ScheduleTagData;coldfusion.osgi.to.ScheduleTagTO;

Use cfserialfilter.txt to customize the allowed list of classes.

Any class apart from the ones specified above are blocked for deserialization and the same are logged in wddx.log.

In serialfilter.txt, the packages that ColdFusion disallows by default for deserialization are:

!org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**;

What happens if your application uses additional packages?

If your applications use packages or classes that are disallowed in cfserialfilter.txt, your application does not work as expected, and an error is logged in <CF_HOME>/logs/wddx.log.

Due to security reasons, com.sun.rowset.JdbcRowSetImpl is blocked for deserialization. Add the class or package in the file cfusion/lib/cfserialfilter.txt to override the behavior and allow deserialization.

How can you identify external Java packages or classes?

What to do once additional packages or/and classes are identified?

If you want to apply the update, perform the following steps:

Document revision history

• 12 March 2024: Before Update 7, the packages allowed for wddx deserialization were taken from the cfserialfilter.txt file. With Update 7, the list of allowed packages is now used as the default allowed list in the code to prevent accidental exposure to any wddx deserialization vulnerability. Also, in this update, a new package coldfusion.osgi.to.ScheduleTagTO has been added to the default list of allowed packages.
  The cfserialfilter.txt can still be used to specify a customized list of packages/new packages considered safe for wddx deserialization. Note that the packages added to cfserialfilter.txt will always be given higher priority.
  
• References to ColdFusion 2023 (Update 3) and ColdFusion (2021) Update 9 were removed.
• Updated the default for cfserialfilter.