Announcing ColdFusion updates released June 11 2024: another possible breaking change

Posted At : June 11, 2024 2:30 PM | Posted By : Charlie Arehart
Related Categories: updates, cf2021, security, cf2023
Comments: (7)

This is another important heads-up for my readers: there was an important security update released today by Adobe for ColdFusion 2023 (its update 8) and ColdFusion 2021 (its update 14). Just like the recent CF updates in March, this one again has a potential breaking change (trading away compatibility for the sake of security), and it adds yet another JVM arg that allows you to "revert" to the previous default behavior--to let you benefit from OTHER security aspects of the update, while you give time to addressing what should be changed.

In this case, it's about if you use CF encryption-related functions, the default encryption algorithm is changing--and that means that those who encrypt/decrypt (or hash or randomize) data in their apps MUST take steps before applying this updates. For more, read on.

Update: As a heads-up, a few weeks after this post ANNOUNCING the update and its key change, I created another that address confusion many still seem to have after reading the Adobe technote on the update (links below).You may want to skip to reading that post first, On handling the June 2024 CF update change of default algorithm from CFMX_COMPAT.
Otherwise, read on for what I wrote originally.

[....Continue Reading....]

Comments (7)

Comments

[Add Comment]

An update since the original post: someone kindly informed me (directly, rather than as a comment here) that the technote has a mistake, where it has a space before the "=" in the assignment for the JVM arg. And if you don't remove that, CF won't start if you use it that way!

So I've added an update to my post above about this.

And if you are the person who sent me word, please send it again. It was early in my day here at cfcamp in Germany, and I can't recall how you had sent it. I looked through several places before writing this! :-)

# Posted By Charlie Arehart | 6/13/24 10:45 AM

I am doing an upgrade from 2016 and Migration wizard brought over datasources just fine. I upgraded to CF2023 update 8 added the Compat jvm arg, restarted the service, but the DSNs will not validate until I rekey the password. CF throws the below error. so it seems like the argument is not working unless I am missing something.

Error below:
errorError editing/creating this dsn (dsn-name)
An error occurred while trying to encrypt or decrypt your input string: Given final block not properly padded. Such issues can arise if a bad key is used during decryption..

# Posted By Mike Collins | 6/14/24 10:13 AM

In reading the security bulletin and other info related to this update, I understood the change to be that CFMX_COMPAT would simply no longer be the default encryption algorithm. I presumed if the optional algorithm parameter was supplied that the encrytion would still work without setting the JVM argument -Dcoldfusion.encryption.useCFMX_COMPATAsDefault=TRUE in the ColdFusion Administrator. For example. where local.algorithm is set to "CFMX_COMPAT" :

local.result = encrypt(arguments.fromString, getKey(arguments.algorithm), local.algorithm, local.encoding );

However, that does not appear to be the case. The encryption actually works, but not without the "...error occurred while trying to encrypt or decrypt your input string: '' Can not decode string..." warning.

Has anyone else encountered this?

# Posted By Vicki | 7/9/24 10:17 AM

Vicki, things do indeed work the way the technote indicates. If you're finding otherwise, I would suggest you confirm that your "local.algorithm" variable does have the value you think it does. :-)

But more specifically, here is code that will demonstrate that things work if (as you propose) one DOES set the 3rd arg (for encrypt or decrypt) to "cfmx_compat", and this works whether you set the jvm arg true or false or if you leave it off. Notice how my code outputs whether that's so, as well as the CF version and update level.

<cfscript>
msg="test msg"
algo="cfmx_compat"
key="123"
writeoutput("Message to encrypt:" & msg & '<hr>')
encryptedMsg = encrypt(msg,key, algo)

decryptedMsg = decrypt(encryptedMsg,key, algo)
writeoutput("Decrypted message:" & decryptedMsg & "<hr>")

writeoutput("CF version: " & server.coldfusion.productversion & "<hr>")
writeOutput("JVM arg -Dcoldfusion.encryption.useCFMX_COMPATAsDefault")
if (not structKeyExists(server.system.properties,"coldfusion.encryption.useCFMX_COMPATAsDefault")) {
writeoutput(" <u>is not set</u>")
}
else {
writeoutput("=" & server.system.properties["coldfusion.encryption.useCFMX_COMPATAsDefault"])
}
</cfscript>

Please let us know how things go.

# Posted By Charlie Arehart | 7/10/24 12:30 AM

Thanks, Charlie, as always. I have determined that what I originally assumed and what you stated is, of course, true. I also had already confirmed my "local.algorithm" variable had the value I expected. In the end, I believe the issue I experienced was a caching issue! In any event, all is good in my world now. Thank you most kindly for your assistance!

# Posted By Vicki | 7/12/24 10:00 AM

Good to hear, and as some would say, indeed "both things can be true". :-)

# Posted By Charlie Arehart | 7/12/24 10:10 AM

Right on!

# Posted By Vicki | 7/12/24 11:42 AM

[Add Comment]

Home

View all posts

Enter your email address to subscribe to this blog.

Recent Comments

ColdFusion 2025 released, Feb 25 2025: resources and my initial thoughts
Charlie Arehart said: Uday, I assume you're speaking in your role as a member of the cf team. Thanks. But can you clarify ... [more]

ColdFusion 2025 released, Feb 25 2025: resources and my initial thoughts
Uday Ogra said: Christopher, that periodic check in call will be made by running CF server

ColdFusion 2025 released, Feb 25 2025: resources and my initial thoughts
Charlie Arehart said: Christopher, I don't work for Adobe so can't answer that last question. :-) I'm just a messenger, po ... [more]

ColdFusion 2025 released, Feb 25 2025: resources and my initial thoughts
Christopher said: So if I'm understanding the new licensing correctly for those of us who previously would purchase a ... [more]

Easily finding cached/old versions of a site/page when it's down or gone
Charlie Arehart said: I'm sorry to hear of your plight. What you ask is well beyond the scope of this post, but I realize ... [more]

Calendar

Sun	Mon	Tue	Wed	Thu	Fri	Sat
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30

Entries by year

2025 (5)

2024

December (1)
October (2)
September (2)
August (1)
July (5)
June (1)
May (3)
April (4)
March (1)
February (2)
January (6)

2023 (33)
2022 (20)
2021 (18)
2020 (17)
2019 (23)
2018 (15)
2017 (14)
2016 (17)
2015 (10)
2014 (19)
2013 (18)
2012 (32)
2011 (21)
2010 (30)
2009 (52)
2008 (95)
2007 (94)
2006 (94)

RSS

Contact

About

A veteran server troubleshooter who's worked in enterprise IT for more than three decades, Charlie Arehart (@carehart) is a longtime contributor to the community who as an independent consultant provides remote, short-term, and even on-demand troubleshooting/tuning assistance for organizations of all sizes and experience levels (carehart.org/consulting).

You can reach Charlie by email at charlie (at) carehart.org, or you can follow him on twitter, @carehart. This blog is one resource among several within https://www.carehart.org/, where you can also find out more about him.

In fact, if you'd like his help, he's available for consulting for as little as 15 minutes.

Appreciate any of the resources I've offered?

Archives By Subject

admin (107) [RSS]
apache (11) [RSS]
API Manager (4) [RSS]
basics (8) [RSS]
blogging (14) [RSS]
bug reports (1) [RSS]
business (2) [RSS]
carehart classics (26) [RSS]
CF Server Monitor (26) [RSS]
cf10 (61) [RSS]
cf11 (47) [RSS]
cf2016 (60) [RSS]
CF2016 Intro Series (9) [RSS]
cf2018 (59) [RSS]
cf2021 (61) [RSS]
cf2023 (41) [RSS]
cf2025 (5) [RSS]
cf411 series (10) [RSS]
cf8 (52) [RSS]
cf9 (34) [RSS]
cf911 (54) [RSS]
CFBuilder (20) [RSS]
CFFundamentals (5) [RSS]
cfml (35) [RSS]
cfmx (8) [RSS]
cfmythbusters (7) [RSS]
commandbox (3) [RSS]
community (24) [RSS]
connector (8) [RSS]
contributions (13) [RSS]
debugging (13) [RSS]
derby (5) [RSS]
docker (8) [RSS]
editors (10) [RSS]
evangelism (5) [RSS]
fusionreactor (62) [RSS]
general (59) [RSS]
hidden gems (12) [RSS]
homesite+ (3) [RSS]
hotfix (21) [RSS]
IIS (13) [RSS]
installation (9) [RSS]
introduction (2) [RSS]
java (46) [RSS]
javascript (2) [RSS]
jdbc (10) [RSS]
keyboard shortcuts (5) [RSS]
licensing (8) [RSS]
logs (8) [RSS]
lucee (20) [RSS]
migrating (1) [RSS]
monitoring (42) [RSS]
news (22) [RSS]
orm (2) [RSS]
performance (14) [RSS]
personal (3) [RSS]
PMT (6) [RSS]
podcasts (5) [RSS]
presentations (28) [RSS]
railo (10) [RSS]
redis (2) [RSS]
resource lists (26) [RSS]
security (28) [RSS]
seefusion (11) [RSS]
sql server (14) [RSS]
tips (22) [RSS]
tomcat (9) [RSS]
tools (44) [RSS]
training (8) [RSS]
troubleshooting (74) [RSS]
tuning (14) [RSS]
ugtv (11) [RSS]
updates (63) [RSS]
web services (8) [RSS]
webserver (5) [RSS]
writing (20) [RSS]
zeus (3) [RSS]

Upcoming/Recent Conference Appearances

Adobe CF Summit
Sep 2025

Into The Box
May 2025

Adobe CF Summit East
Mar 2025

CFCamp
June 2024

BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the HTML in this page?)

Managed Hosting Services provided by