Open cfserialfilter.txt in <CF_HOME>/lib.
Last updated on
Aug 25, 2023
ColdFusion (2023 release) Update 4
Note:
The updates below are cumulative and contain all updates from previous ones. If you are skipping updates, you can apply the latest update, not those you are skipping. Further, you must note any changes implemented in each of the updates you are skipping.
To install previous updates, see ColdFusion (2023 release) updates.
Alert:
The Oracle Java CPU update released in July 2023 introduced an additional validation of ZIP64 extra fields that is known to cause an issue while downloading and/or applying the ColdFusion updates that were released on July 19, 2023 and Aug 17, 2023.
As a workaround, if you using the above JDK, you will need to install the update manually by using the command:
java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar
Note that this issue is only specific to the July CPU JDK patch release. If you're using Java bundled with ColdFusion, the update will install without any issues.
Adobe would like to thank Charlie Arehart for proposing this workaround.
What's new and changed
ColdFusion (2023 release) Update 4 (release date, 17 August, 2023) introduces the ColdFusion serial filter that can be used to allow or disallow Java classes or packages for the deserialization of Wddx packets.
ColdFusion SerialFilter
To help ensure protection against insecure wddx deserialization attacks, few vetted classes from the java.util package have been enumerated as allowed classes for deserialization, and are listed in the cfserialfilter.txt file. View the ColdFusion serialfilter document for more information.
Note:
If some components in your applications fail to work due to this change, check the log files (check wddx.log present in <CF_HOME>/logs for the class/package that is blocked).
Follow these steps to allow or disallow a package:
-
-
If you want to allow a class or package, add it in the format:
- Class: java.<.package_name>.<class_name>;
- Package: java.<package_name>.**;
-
If you want to disallow a particular class or package, add it in the format:
- Class: !java.<.package_name>.<class_name>;
- Package: !java.<package_name>.**;
Note:The order in which the packages or classes are listed is important.
Let’s take an example. If you've allowed the package "java.util.**;" and want to block a class "java.util.Date;" in the package, use "!java.util.Date;java.util.**;".
In the example, if you reverse the order (i.e., java.util.**;!java.util.Date), all classes in the package "java.util.**" will be allowed by default.
-
Restart ColdFusion.
Java serialfilter
Use the serialfilter.txt file to disallow the classes or packages to block Java deserialization. By default, all packages are allowed for Java deserialization. For more information, see this document.
Standalone installation
-
Open the file serialfilter.txt in <CF_HOME>/lib.
-
Add the class or package:
- Class: !java.<.package_name>.<class_name>;
- Package: !java.<package_name>.**;
-
Restart ColdFusion.
JEE installation
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**", in the respective startup file depending on the type of Application Server being used.
For example:
- On Apache Tomcat Application Server, edit JAVA_OPTS in the Catalina.bat/sh file.
- On WebLogic Application Server, edit JAVA_OPTIONS in the startWeblogic.cmd file.
- On a WildFly/EAP Application Server, edit JAVA_OPTS in the standalone.conf file.
Security recommendations
Adobe strongly recommends securing your ColdFusion installations by applying server auto-lockdown and imposing IP restrictions on your server.
For more information, see:
Prerequisites
- On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
- If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
- http.proxyHost
- http.proxyPort
- http.proxyUser
- http.proxyPassword
- For ColdFusion running on JEE application servers, stop all application server instances before installing the update.
ColdFusion JDK flag requirements
COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers
On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**", in the respective startup file depending on the type of Application Server being used.
For example:
- Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
- WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
- WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
Installation
ColdFusion Administrator
In Package Manager > Packages, click Check for Updates in Core Server.
After it detects an update, click Update. The core package will then be updated with the latest update.
All installed packages also get updated.
Restart ColdFusion for the changes to take effect.
Install the update in offline mode manually
- Download the hotfix installer and repository from the link.
- Unzip the repository to a place where all ColdFusion server instances can access it.
- Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.
If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).
You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.
- Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-004-330500.jar
- Linux-based platforms: <cf_root>/jre/bin/java -jar <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-004-330500.jar
Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.
Install the update from a user account that has permissions to restart ColdFusion services and other configured webservers .
For further details on manually updating the application, see the help article.
Post installation
Note:
After applying this update, the ColdFusion build number should be 2023,0,04,330500.
Uninstallation
To uninstall the update, perform one of the following:
- In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
- Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2023-00004-330500/uninstall /uninstaller.jar
If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:
- Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
- Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2023-00004-330500}/backup directory to {cf_install_home}/{instance_name}/
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online
Adobe MAX
The Creativity Conference
Oct 14–16 Miami Beach and online