@Mark Takata (Adobe) Very sorry to pull you into this, but I need better clarity, my people are banging on me to do stuff, and I'm not sure what exactly are the right things to do. Yes, I've read Charlie's very helpful article. 1. Does Update 10 for CF 2021 require jdk-11.0.20? 2. Is editing of cfserialfilter.txt required for Update 10 to actually have any effect? 3. If so, how do we know what edits are needed, and what doing that may break?

Hi Dave, To answer your questions, 1. Does Update 10 for CF 2021 require jdk-11.0.20? - No, it doesn't require jdk-11.0.20 2. Is editing of cfserialfilter.txt required for Update 10 to actually have any effect? - No, just installing Update 10 is enough 3. You can refer to this document to find out the same - https://chl-author.corp.adobe.com/content/help/en/coldfusion/kb/coldfusion-serialfilter-file.html

Thanks for trying to help, but I can't get to that URL. After alerts that it's not secure, I end up with this msg:

The browser could not find the client cert installed by the Banyan App. Please verify that you are registered through the Banyan App. If you have just installed the App, please restart your browser and retry.

If you don't mind me asking, who are you? You're sending me to a weird URL on the adobe site, don't have any identifiers indicating you work for them, I'm just confused.

This is the correct link: https://helpx.adobe.com/ca/coldfusion/kb/coldfusion-serialfilter-file.html

Thank you, and thanks @Mark Takata (Adobe) for liking the post, so we can know that these folks speak for Adobe (they're not identified any other way that I saw). QUESTION: Sorry to nit, but that doc says:

In cfserialfilter.txt, the packages that ColdFusion allows by default for deserialization are...

And also:

In serialfilter.txt, the packages that ColdFusion disallows by default for deserialization are...

I don't quite get it. There's a default ALLOW list, AND a default DENY list? How does that work? When there's an ALLOW list doesn't that mean nothing but those items is allowed, in which case what's the use of a DENY list? (Imagine me asking he opposite question too.) Apologies if I'm being thick.

Sorry Dave, I will ask folks to put their official identities in. Both @Megha and @Satyam Mishra are Adobe engineers. I wish there was a way we could have an admin tag us.

Thanks Mark, just some way to know who they are would be good. Weird that they didn't respond when I asked.

In the pursuit of augmenting luminance, we delve into the following intricacies. The file "serialfilter.txt" embodies the default deny list and finds application within Java deserialization processes. When the "readObject()" method of Java is engaged, the contents of this file undergo scrutiny, prompting the execution of relevant measures. On a parallel note, "cfserialfilter.txt" (intrinsically equipped with an allowed list by default) exclusively functions within wddx deserialization scenarios. The contents of this file come into play when operations involving "argumentCollection" or "wddxTag" are invoked. Evidently, both files find purpose within distinct workflows, with their trajectories never intersecting. Crucially, both files offer provisions for "Allow" and "Block" actions. Notably, any package name preceded by the "!" (negation) sign is automatically earmarked as "Blocked"; conversely, package names devoid of this prefix are deemed "Allowed."