ColdFusion (2021 release) Update 23

Security recommendations

For all security updates, Adobe recommends applying the security configuration settings outlined on the ColdFusion Security page and reviewing the respective Lockdown guide.  

• ColdFusion 2021 Lockdown Guide

ColdFusion (2021) Update 23 (release date, 9 December 2025) includes important security fixes that mitigate vulnerabilities related to arbitrary file system write, arbitrary file system read, arbitrary code execution, and security feature bypass. The update also upgrades the underlying Tomcat engine to version 9.0.111.0.

View the security bulletin, APSB25-105, for more information.

New JVM flags

• -Dcoldfusion.websocket.selector.validation
• -Dcoldfusion.deserialization.safeguard.enabled
• -Dcoldfusion.pdf.ddx.allowExternalEntities
• Renamed -Dcoldfusion.datasource.blocked.properties to -Dcoldfusion.datasource.allowed.properties

See JVM arguments in ColdFusion 2023 and 2021 update releases for more information.

Changes to serialfilter

ColdFusion blocks all class deserialization by default.

From this update, ColdFusion blocks all class deserialization by default. ColdFusion applies a default‑deny deserialization policy using an internal allowlist of classes required by the platform and the cfusion/lib/serialfilter.txt file, which you can edit to whitelist additional safe classes or packages. Classes not on this allowlist are blocked, and an error is logged advising you to add the relevant class or package to serialfilter.txt if you wish to allow it.

When a class is blocked, ColdFusion logs a clear message in both server.log and exception.log, for example:
Error","http-nio-8502-exec-1","11/12/25","11:34:20","", "Due to security reasons, java.util.HashMap is blocked for deserialization. Add the class/package in the file cfusion/lib/serialfilter.txt to override the behavior and allow deserialization."

In case you want to debug further, the stack trace will be in exception.log

If required for backward compatibility or troubleshooting, you can temporarily restore the previous, less restrictive behaviour by setting -Dcoldfusion.deserialization.safeguard.enabled=false. This option is intended only for non-production use and is not recommended for production environments.

Earlier in JEE deployments, the serialfilter.txt file was not functioning, and administrators had to rely on the -Djdk.serialFilter JVM option instead. This limitation has been addressed, and serialfilter.txt is now functional in JEE deployments. If both configurations are present, the -Djdk.serialFilter setting continues to take precedence over serialfilter.txt.

CAR migration changes

ColdFusion Archive (CAR) creation and deployment now honor path allow‑lists defined in <cf_home>/cfusion/lib/pathfilter.json. 

1. CAR deployment (car.deploypath)

   By default, no CAR file can be deployed from any path.

   • The source paths from which CAR files may be deployed must be explicitly whitelisted under the car.deploypath key in pathfilter.json.
   • If a CAR is deployed from a non‑whitelisted path, deployment fails and an error is logged in car_deploy.log, for example:

     "Error","","10/29/25","10:14:41","","The path \\localhost\c$\new12.car is not whitelisted in pathfilter."

2. CAR creation (car.associatedfiles)

   • Files and directories included in a CAR as “Associated Files/Dirs” are now checked against the car.associatedfiles allow‑list in pathfilter.json.
   • Non‑whitelisted files/directories are skipped when building the CAR and are logged in car_archive.log.
   • The CAR build still completes, but unsafe or non‑allowed content is not bundled.

Configuration format

To configure allowed paths for CAR operations, use the following structure in pathfilter.json:

"car": {
"deploypath": "",
"associatedfiles": ""
}

You can also deploy CARs from shared locations, as long as those locations are explicitly listed in car.deploypath.

New Tomcat version

The update includes a new version of Tomcat, v9.0.111.0

Bugs fixed in the update

Known issues in the update

cfdf

The cfpdf tag’s archive action currently fails when targeting the PDF/A‑2b standard. Attempts to archive PDFs to PDF/A‑2b can throw a NullPointerException in the internal metadata processing instead of completing successfully.

Serialization

In this update, the deserialization safeguard can affect two areas:

• First, on ColdFusion 2021 running with an older Java 11 build, logging of blocked deserialization does not work correctly (you may see warnings that ObjectInputFilter is not available), so you should run on a latest Java 11 to get proper error logging.
• Second, for security reasons we have blocked java.io.Serializable by default, which may affect features such as ORM, Hibernate, or EhCache. Code paths that uses deserialize Serializable[] may fail with errors such as:

"Due to security reasons, java.io.Serializable; is blocked for deserialization. Add the class/package in the file cfusion/lib/serialfilter.txt to override the behavior and allow deserialization."

As a workaround, allow java.io.Serializable in cfusion/lib/serialfilter.txt

ColdFusion JDK flag requirements

COLDFUSION 2021 (version 2021.0.0.323925) and above

For Application Servers   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;", in the respective startup file depending on the type of Application Server being used.

For example:   

• Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   
• WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file   
• WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.  

Prerequisites

1. On 64-bit computers, use 64-bit JRE for 64-bit ColdFusion.
2. If the ColdFusion server is behind a proxy, specify the proxy settings for the server to get the update notification and download the updates. Specify proxy settings using the system properties below in the jvm.config for a stand-alone installation, or corresponding script file for JEE installation.
   • http.proxyHost
   • http.proxyPort
   • http.proxyUser
   • http.proxyPassword
3. For ColdFusion running on JEE application servers, stop all application server instances before installing the update.

Installation

ColdFusion Administrator

In Package Manager > Packages, click Check for Updates in Core Server.

After it detects an update, click Update. The core package gets updated with the latest update.

All installed packages that needs an update get updated.

Restart ColdFusion for the changes to take effect.

Install the update in offline mode manually

1. Download the hotfix installer from the link.
2. Download the packages zip file from this link and extract its contents to a location accessible to all ColdFusion server instances.
3. Update "packagesurl" in cfusion/lib/neo_updates.xml of cfusion and all its child instances to point to <InstallerReposityUnzippedPath>/bundles/bundlesdependency.json present inside the downloaded folder.

If the core server hotfix installation is successful and if there are errors or issues with packages, packages can be installed/updated from the package manager client(cfusion\bin\cfpm.bat|cfpm.sh).

You must have privileges to start or stop ColdFusion service and full access to the ColdFusion root directory.

• Windows: <cf_root>\jre\bin\java.exe -jar <InstallerReposityUnzippedPath>\bundles\updateinstallers\hotfix-023-330486.jar
  
• Linux-based platforms: <cf_root>/jre/bin/java -jar  <InstallerReposityUnzippedPath>/bundles/updateinstallers/hotfix-023-330486.jar

Ensure that the JRE bundled with ColdFusion is used for executing the downloaded JAR. For standalone ColdFusion, this must be at, <cf_root>/jre/bin.

Install the update from a user account with permission to restart ColdFusion services and other configured webservers.

For further details on manually updating the application, see the help article.

Post installation

Uninstallation

To uninstall the update, perform one of the following:

• In ColdFusion Administrator, click Uninstall in Server Update > Updates > Installed Updates.
• Run the uninstaller for the update from the command prompt. For example, java -jar {cf_install_home}/{instance_home}/hf_updates/hf-2021-00023-330486/uninstall /uninstaller.jar

If you can't uninstall the update using the above-mentioned uninstall options, the uninstaller could be corrupted. However, you can manually uninstall the update by doing the following:

1. Delete the update jar from {cf_install_home}/{instance_name}/lib/updates.
2. Copy all folders from {cf_install_home}/{instance_name}/hf-updates/{hf-2021-00023-330486}/backup directory to {cf_install_home}/{instance_name}/

Q: If I uninstall ColdFusion 2021 Update 23, will all the packages installed with it be rolled back?
A: No. Package rollback depends on the minimum core dependency of each package:

• Packages with a minimum core dependency of update 23 (that is, they specifically require this core level) are rolled back when you uninstall this core update.
• Packages with a minimum core dependency of update 22 or update 21 remain installed at their latest compatible versions and are not rolled back automatically when you uninstall the core update.

Connector configuration

Packages updated