Unsafe random bit generation algorithms
ColdFusion Enterprise installation includes FIPS compliant RSA BSAFE JCE Crypto Provider. Default algorithm used by this library for random number generation is ECDRBG (A variant of Dual Elliptic Curve). RSA has released an advisory regarding same (ESA-2013-068) listing unsafe random bit generation algorithms.
ColdFusion sets the default random number generator algorithm to FIPS186Random (JVM argument -Dcoldfusion.jsafe.defaultalgo=<algorithm>) which is completely safe to use. So good news is by default your ColdFusion 10 installation is secure. Note that CrypotJ libraries are not available in Standard installation of ColdFusion.
ColdFusion 9 family uses BSafe library 3.6 which doesn’t make use of ECDRBG based algorithms. It uses SHA1PRNG as default random number generation algorithm. There is no impact on coldfusion 9. JVM argument -Dcoldfusion.jsafe.defaultalgo is not available in ColdFusion 9 family.
Following table lists unsafe random bit generation algorithms.
|ECDRBG||Dual EC DRBG (128 Bit)|
|ECDRBG128||Dual EC DRBG (128 Bit Default)|
|ECDRBG192||Dual EC DRBG (192 bit)|
|ECDRBG256||Dual EC DRBG (256 bit)|
Pete from CF community has also blogged about the same here