Skip to main content
J
Jose22202755v2f3
Participating Frequently
January 23, 2026
Question

Just installed cf 2021 Upd23 and now cant connect to Oracle 19c DS

  • January 23, 2026
  • 2 replies
  • 94 views

Keep getting.

 

java.sql.SQLException: Index -1 out of bounds for length 0

 

Please help. 

 

I cleared Felix -cache, tried Odbc11.jar in ..\lib folder restarted no difference.

 

running out of options before rollback.

 

ty community. I was on call with Adobe over 1 hour they hung up.

No respnse from CFsup... email

 

Jose Duenas

Lead systems Kaiser

    2 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    January 23, 2026

    The issue might be related to a recent change in ColdFusion. The change was in deserialization. Since the change, ColdFusion blocks all class deserialization by default. However, I think deserialization is only indirectly involved in causing the issue.

    My guess is that:

    • the Oracle JDBC driver attempts to deserialize internal resources (for example, character converters, byte arrays, etc.);
    • ColdFusion blocks that deserialization;
    • The Oracle driver swallows the exception internally;
    • In the driver, internal arrays remain uninitialized;
    • When ColdFusion later accesses one such array, the result is the error "Index -1 out of bounds".

     

    So, the solution I would suggest is to allow the Oracle driver to deserialize. To do so, you need to explicitly allow the driver's internal packages (oracle.sql.**, oracle.jdbc.**) in the /lib/serialfilter.txt file.

     

    The steps of my suggestion, in full:

    1.  Stop ColdFusion; 
    2.  Replace your current ojdbc11.jar file with the latest version. You will then have recent improvements to the Oracle driver.
    3.  Check your lib directories and class paths (for example, /cfusion/lib, /webroot/WEB-INF/lib) and make sure that there are no other ojdbc Jar files. Having even one older JDBC Jar anywhere can trigger an exception. Hence no ojdbc8.jar or ojdbc10.jar. If there are, delete them. 
    4.   Add the following package-names to /lib/serialfilter.txt:
      oracle.jdbc.**;oracle.sql.**;​
    5.  Restart ColdFusion;
    6.  Verify the Oracle (type: "Other") datasource.
    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    January 23, 2026

    I suspect that's indeed it. Good catch, BKBK. When I was writing last night (literally just before going to bed), I didn't connect the dot that that cf21 update 23 was the one that implemented that change.

     

    BTW, Jose, you can CONFIRM if this was the issue.

     

    Note how that update's technote clarifies that if such an error happens, cf will write an error to its logs. It's not in the coldfusion-out.log or coldfusion-error.log but rather in both the server.log (a brief mention) and exception.log (adding a stack trace). And the technote clarifies the error to look for, along the lines of "Due to security reasons, [your class name ] is blocked for deserialization. Add the class/package in the file cfusion/lib/serialfilter.txt to override the behavior and allow deserialization." (The technote also goes to clarify how to add that to the serialfilter.txt.)

     

    And it makes all the more sense that this is the issue if you're using an "other" driver (which was one of my questions above). That said it's also understandable that Adobe can't have whitelisted automatically the class names for jars they don't distribute, even such "common ones" as this, used often by people on cf Standard rather than Enterprise (where Adobe DOES offer an oracle driver and seemingly DOES whitelist internally its classes). But over time as more such commonly used Java libraries lead to such errors, we'll as a community come to identify such "common" classes as might be safely added to that serialfilter.txt.

     

    (That said, folks should not just add to the serialfilter.txt ANY classes identified with ANY such errors. Some will be the result of cf now BLOCKING what was a bad guy request. Oh, the tangled web that security concerns weave.) 

     

    Looking forward to how things worked out for you, Jose. And again kudos, BKBK. 

    /Charlie (troubleshooter, carehart. org)
    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    January 23, 2026

    Jose, I'll offer thoughts with numbers, so you can respond to any using the number. If you see this within 45 mins of me posting it and want direct help rather than considering all these points, jump to number 15 below.

     

    1. I'm not aware of a known issue with oracle after that update. Maybe someone else will connect that dot. 
    2. Can you confirm no other change was made? Did you perhaps also update the Java that Cf uses?
    3. What update had you been on before? That would be important if you were on earlier than 22, as then I possibly the impact of changes in any of multiple updates that need to be considered.  You can generally tell by seeing what update numbers are indicated in that hf-updates folder. 
    4. Do you really use odbc or jdbc? In the cf admin, for example, is the DSN using the built-in oracle driver or one you added, using an "other" driver type? Even that would be jdbc. Maybe you meant an ojdbc jar.
    5. Either way, you say you "tried" it "in ../lib". Where was it before?
    6. As for what may be amiss, have you confirmed first that there were "0 fatalerrors" in the update log, within hf-updates?
    7. Were there no errors about package updates at the bottom of that log?
    8. Were there no errors during the update of packages at the next cf startup, as tracked in coldfusion-out.log?
    9. Did you do the update or someone else? Was the update done via the cf admin or command line? 
    10. Does the cf instance have the ability to download and install the updates, or must you do a "manual offline update" as described in the update technotes? 
    11. As for your emailing cfsup, that's not got any guarantee of a response in a given time (not even within a day), unless you pay for support and use a from address associated with that support plan.
    12. assuming nothing shared above helps you resolve things yourself, or if you reply here and there's either no resolution or you need to be back up sooner, did you try uninstalling the update? That should get you back to where you were.
    13. Is this prod or dev/stage? If the former, had all gone well in the latter, previously?
    14. I'll add that of course I help people solve such problems via remote screenshare consulting. For more on my rates, approach, satisfaction guarantee, online calendar, email, phone, and more, see the consulting page at carehart.org.
    15. If you're in desperate straits and need resolution tonight, I see you posted this about 50 mins ago. It's just after midnight us eastern time. I'll stay up about 45 more mins in case you may get this and want to arrange help ASAP. Otherwise you can find an available slot in the morning (and if you indicate here you'd like to meet earlier, I may see that in the early morning. Better to email me to arrange that early session, via support@carehart.org.)

     

    Or again maybe someone else might offer you a different suggestion overnight to get you going again. Even if you can't or don't want to meet, and even if you may hope someone else "has the answer" for you, while you wait I hope you'll go ahead and answer the questions raised above--first for yourself, and then to us if the problem remains. Even someone else (offering a different suggestion) might benefit hearing some detail you may share. 

    /Charlie (troubleshooter, carehart. org)
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices