Adobe ColdFusion 2023 has released update 4, and 2021 has released update 10. These both are security-only updates (no bug fixes or enhancements). They both introduce the ColdFusion serial filter that can be used to allow or disallow Java classes or packages for the deserialization of Wddx packets. This is an important security protection, and kudos to Adobe for getting in front of this before a security bulletin is necessary. This helps protect against bad actors attacking wddx-deserialization.

While you may remember, the previous two updates, including version 2018, patched specific vulnerabilities to wddx-deserialization; this update intends to implement a new form of protection by whitelisting certain underlying Java classes associated with it. The "whitelist" is now found in the new cfserialfilter.txt file in /lib, where you will also find the similar serialfilter.txt introduced in ColdFusion 11.

Mark Takta's Insights

Here is what Adobe ColdFusion Evangelist Mark Takta had to say about this update:

— Mark Takata, "cfml" Slack space, #adobe channel, 8/17/2023

Logging and Testing

The log wddx.log, found in the logs folder, reports when Java classes were blocked during attempts to deserialize them. This will help you understand potential attacks and troubleshoot potential issues.

CF Webtools has installed this on a staging server and has not seen any reported issues. We are on a path to update our client's servers with this latest patch after a successful test.

Important Installation Notes

IMPORTANT: When you install this update, you must install it before updating to Oracle JVM 11.0.20 or newer. Oracle introduced an additional validation of ZIP64 extra fields known to cause an issue while applying these updates. If you have already installed JVM 11.0.20 or newer, manually download and install the .jar update file using JVM 11.0.19 or older. You can find an older version in the installed ColdFusion directory.

According to Charlie Arehart, you may also run java -Djdk.util.zip.disableZip64ExtraFieldValidation=true -jar hotfix.jar; however, we have yet to try this method.

In the release notes, you may note that a JVM flag is needed on JEE ColdFusion installations. If you use a standalone version or do not know what a JEE installation is, you likely can skip this instruction set.

Server Security Considerations

There are arguments to block CFC access to the public Internet as part of the server lockdown process. The recent issues have involved CFCs relating to admin authentication and wddx-deserialization via inbound HTTP requests (not in-code CFC calls). In a perfect world, everyone would be using REST, GraphQL, or something similar with an API Gateway in front of it. This provides both structure and protection. However, in the real world, developers or business owners are either uninformed about the associated risks or do not have the budget or business sign-off to implement an API architecture or gateway.

Blocking CFCs is debatable but something to consider. You could permanently block them on the server build and remove the filter or whitelist certain CFCs when necessary. A few users have argued this in the Adobe ColdFusion Community threads.

Final Recommendations

Please remember that this update only applies to Adobe ColdFusion 2021 and 2023. 2018 has reached its end of life. If you are not running Adobe ColdFusion 2021 or 2023, CF Webtools recommends upgrading your version to patch holes like this. If you continue to run 2018 or older, we may recommend blocking CFCs at the web server level to help mitigate these issues, either currently unknown or future finds. If you would like help mitigating your risks or with an upgrade, we will be happy to help!

```