Adobe coldfusion 2021 default encryption algorithm changes

[Dejan Karan]

Hello,

We are using FW/1 4.2 and recently (In march and forward) starting with CF 2021 update 14 (https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-14.html) there has been some breaking changes. More specifically Adobe has changed the default algorithm.

Will these changes break anything in FW/1? 

I have not tested the apps using this framework yet as I'm trying to analyze where we use these methods in our old code.

From the update post:

"

What is changing

The default encryption algorithm in ColdFusion has changed from CFMX_COMPAT to AES/CBC/PKCS5Padding for the following functions:

• Encrypt
• EncryptBinary
• Decrypt
• DecryptBinary

Additionally, the default encryption algorithm of Hash function has changed from CFMX_COMPAT to SHA-256 hashing algorithm.

The default encryption algorithm for the following Rand* functions has changed from CFMX_COMPAT to SHA1PRNG. 

SHA1PRNG is a random number generator

• Rand
• Randomize
• RandRange

"

[Sean Corfield]

FW/1 does not use encrypt/decrypt, or any rand* functions, at all. It uses hash() but only internally, so the change won't affect any behavior. Some of the _examples_ in the repo use them, but not the framework itself.

You will need to search your own codebase for use of those functions, however.