Sanitizing Cloudflare Logs to protect customers from the Log4j vulnerability
December 14, 2021
Many Cloudflare customers consume their logs using software that uses Log4j, so we are mitigating any exploit attempts via Cloudflare Logs....
December 14, 2021
Many Cloudflare customers consume their logs using software that uses Log4j, so we are mitigating any exploit attempts via Cloudflare Logs....
December 10, 2021
Yesterday, December 9, 2021, when a serious vulnerability in the popular Java-based logging package log4j was publicly disclosed, our security teams jumped into action to help respond to the first question and answer the second question. This post explores the second....
December 10, 2021
I wrote earlier about how to mitigate CVE-2021-44228 in Log4j, how the vulnerability came about and Cloudflare’s mitigations for our customers. As I write we are rolling out protection for our FREE customers as well because of the vulnerability’s severity....
December 10, 2021
In this post we explain the history of this vulnerability, how it was introduced, how Cloudflare is protecting our clients. We will update later with actual attempted exploitation we are seeing blocked by our firewall service....
December 10, 2021
A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021, that results in remote code execution (RCE)....
October 08, 2021
On September 29th 2021, the Apache Security team was alerted of a path traversal vulnerability being actively exploited (zero-day) against Apache HTTP Server version 2.4.49. Customers running the affected Apache version, should update to 2.5.51 as soon as possible....
September 08, 2021
On August 25, 2021, Atlassian released a security advisory affecting their Confluence application. The Cloudflare WAF soon after started mitigating an increase in malicious traffic to vulnerable endpoints ensuring customers remained protected....
March 07, 2021
Cloudflare has deployed managed rules protecting customers against a series of remotely exploitable vulnerabilities that were recently found in Microsoft Exchange Server. ...
November 13, 2020
Researchers from UC Riverside and Tsinghua University found a new way to revive a decade-old DNS cache poisoning attack. Read our deep dive into how the SAD DNS attack on DNS resolvers works, how we protect against this attack in 1.1.1.1, and what the future holds for DNS cache p...
July 07, 2020
Cloudflare has deployed a new managed rule protecting customers against a remote code execution vulnerability that has been found in F5 BIG-IP’s web-based Traffic Management User Interface (TMUI)....
October 24, 2019
Three vulnerabilities were disclosed as Cache Poisoning Denial of Service attacks in a paper written by Hoai Viet Nguyen, Luigi Lo Iacono, and Hannes Federrath of TH Köln - University of Applied Sciences. These attacks are similar to the cache poisoning attacks presented last yea...
September 28, 2019
Cloudflare has released a new rule as part of its Cloudflare Specials Rulesets, to protect our customers against a high-severity vulnerability in vBulletin. A new zero-day vulnerability was discovered for vBulletin, a proprietary Internet forum software. ...
August 13, 2019
Today, multiple Denial of Service (DoS) vulnerabilities were disclosed for a number of HTTP/2 server implementations. Cloudflare uses NGINX for HTTP/2. Customers using Cloudflare are already protected against these attacks....
May 28, 2019
On Saturday, 11th May 2019, we got the news of a critical web vulnerability being actively exploited in the wild by advanced persistent threats (APTs), affecting Microsoft’s SharePoint server (versions 2010 through 2019)....
March 05, 2019
Drupal discovered a severe vulnerability and said they would release a patch. When the patch was released we analysed and created rules to mitigate these. By analysing the patch we created WAF rules to protect Cloudflare customers running Drupal....
September 05, 2018
On August 22 a new vulnerability in the Apache Struts framework was announced. We quickly deployed a mitigation to protect customers....
August 20, 2018
A few days ago, Cloudflare — along with the rest of the world — learned of a "practical" cache poisoning attack. In this post I’ll walk through the attack and explain how Cloudflare mitigated it for our customers....
April 24, 2018
Over the few last hours, a dozen news stories have broken about how an attacker attempted (and perhaps managed) to steal cryptocurrencies using a BGP leak....
April 20, 2018
Cloudflare’s team of security analysts monitor for upcoming threats and vulnerabilities and where possible put protection in place for upcoming threats before they compromise our customers....