What is the ColdFusion serial filter?
The cfserialfilter.txt file ensures protection against insecure Wddx deserialization attacks. On the other hand, the already existing serialfilter.txt blocks Java deserialization by disallowing certain Java classes or packages.
How do I download the updates?
What do these updates contain?
What else?
- Docker images for ColdFusion 2021 and 2023 will be pushed to AWS ECR and Docker Hub shortly.
- CFFiddle will be updated with ColdFusion 2021 Update 10 and ColdFusion 2023 Update 4 shortly.
Staff
17 posts
A couple of thoughts for readers: while this update doesn’t link to any Adobe product security bulletin (apsb, it is indeed a very important security update, offering a more complete resolution to some of the vulns addressed in the 3 CF security updates last month. For more details, see the update technote linked to above, especially how you can modify things related to the new protection. Thanks for trying to better address the issues here, Adobe. (Time will tell how things go for folks, of course.)
Also, sadly for those using cf2018, its end of life was last month, so it seems this update will not be made available to them. Another reason to consider moving up to cf2023, the only version currently sold by Adobe.
Finally, I noticed earlier today (until minutes before posting this comment) that today’s update was not showing up in my CF Admin. Indeed, I checked and the feed URL did not yet have today’s update. But it does now, for me at least. This could have do with caching anywhere between our own computers and Adobe–so if you may find it’s “not there” for you either, just be patient. Or as the technotes offer, you COULD download and apply the update manually.
You must be logged in to post a comment.
23 Nov
10AM Pacific
Online
