Clarification on 2021 CF update 14

Report · Nov 13, 2024

I just updated to update 14 and i know per the tech doc:

https://helpx.adobe.com/coldfusion/kb/coldfusion-2021-update-14.html

they replaced cfmx_compat algorithm as the default. They say to use a flag, which i did as i need things to stay the same until i update my code.

Here is my question. They indicate the flag will be available until next version after CF2023. Fine. They seem to indicate the jvm flag will go away and no matter what the default will not be cfmx_compat anymore. But they indicate higher up in the doc that cfmx_compat is not going away, just its not the default--meaning we can still use it if we specify it.

My question is about after CF2023: the way this is written, is it just the flag going away or will the entire algo leave also?

If all that is happening is they are changing the default algo (even after 2023 thats okay). My fear is if they remove it all together that will be problematic for me. If they keep it but I have to change my code off the default and specify it, i can do that and not have to make any database changes. Otherwise it's going to be a major headache. How do you'all read it?

Report · Nov 13, 2024

Rick, I read it that the algo is NOT going away, only the ability of this new jvm arg to REVERT the change in the default (as introduced by this cf2021 update 14 or cf2023 update 8).

To be clear, if one leaves the arg in, it's not that CF2025 won't start. It just will be ignored. This has happened with other jvm args introduced in the past for short-term fixes like this.

As for your code, if YOU change your code so that YOUR use of the encrypt/decypt/hash/rand* functions do now SPECIFY to use CFMX_COMPAT, those should still work in CF2025 and beyond.

Do I KNOW this to be so? Well, no. We won't know for sure until CF2025 comes out (the final or a public prerelease). But I'm saying this is how I read things, as you asked.

And in case no one from Adobe answers you here, note that you can also ask on the forum post when the update was announced in June. Or you could email cfsup@adobe.com and ask them directly. If you do that and get an answer, please do let us know here.

Finally, I tweaked your note from being one long paragraph, and I made a couple of typo/grammar tweaks to help other readers, which I hope you won't mind. As a moderator I have that capability but I almost NEVER use it, as I'm sure it could offend some that anyone would dare "touch their stuff". 🙂

/Charlie (troubleshooter, carehart.org)

Report · Nov 14, 2024

Thank you very much and no i dont mind the text correction. I was in a hurry to post. Thanks for your answer also.

Report · Nov 14, 2024

Hi @rickmaz ,

The way I read it, this is about ColdFusion's use of "CFMX_COMPATAsDefault". The change means ColdFusion will no longer use CFMX_COMPAT as the default algorithm. You have to add the JVM flag to tell ColdFusion to continue to use it as the default.

Now, on to the additional documentation,

"However, in the next major release of ColdFusion, we WILL remove the flag."

The way I read this is that, from the next major release onwards, you will not be allowed to use the flag. That is, you will no longer be allowed to configure ColdFusion to use CFMX_COMPAT as the default algorithm. I suspect you will get an error if you try to.

I think so because the default algorithms will then have changed to

SHA-256 (for hashing);
SHA1PRNG (for encryption and decryption).

The way I read it, from the next major ColdFusion release onwards, the only way to use CFMX_COMPAT will be to manually pass it, as the "algorithm" argument, to any function that needs it.

Report · Nov 14, 2024

Thank you!

Clarification on 2021 CF update 14

1 Correct answer