Adobe coldfusion 2021 default encryption algorithm changes

20 views
Skip to first unread message

Dejan Karan

unread,
Oct 18, 2024, 12:24:19 PM10/18/24
to framework-one
Hello,

We are using FW/1 4.2 and recently (In march and forward) starting with CF 2021 update 14 (https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-14.html) there has been some breaking changes. More specifically Adobe has changed the default algorithm.

Will these changes break anything in FW/1? 

I have not tested the apps using this framework yet as I'm trying to analyze where we use these methods in our old code.

From the update post:

"

What is changing

The default encryption algorithm in ColdFusion has changed from CFMX_COMPAT to AES/CBC/PKCS5Padding for the following functions:

Additionally, the default encryption algorithm of Hash function has changed from CFMX_COMPAT to SHA-256 hashing algorithm.

The default encryption algorithm for the following Rand* functions has changed from CFMX_COMPAT to SHA1PRNG. 

SHA1PRNG is a random number generator

"

Sean Corfield

unread,
Oct 18, 2024, 12:30:15 PM10/18/24
to framework-one
FW/1 does not use encrypt/decrypt, or any rand* functions, at all. It uses hash() but only internally, so the change won't affect any behavior. Some of the _examples_ in the repo use them, but not the framework itself.

You will need to search your own codebase for use of those functions, however.

Reply all
Reply to author
Forward
0 new messages