CloudFlare sites protected from httpoxy
July 18, 2016 3:26 PM
We have rolled out automatic protection for all customers for the the newly announced vulnerability called httpoxy....
A Post Mortem on this Morning's Incident
June 21, 2016 6:03 AM
We would like to share more details with our customers and readers on the internet outages that occurred this morning and earlier in the week, and what we are doing to prevent these from happening again....
Inside ImageTragick: The Real Payloads Being Used to Hack Websites
May 09, 2016 1:34 PM
Last week multiple vulnerabilities were made public in the popular image manipulation software, ImageMagick. These were quickly named ImageTragick. ...
Yet Another Padding Oracle in OpenSSL CBC Ciphersuites
May 04, 2016 12:20 PM
Yesterday a new vulnerability has been announced in OpenSSL/LibreSSL. A padding oracle in CBC mode decryption, to be precise. Just like Lucky13. Actually, it’s in the code that fixes Lucky13....
Staying afloat: the DROWN Attack and CloudFlare
March 01, 2016 1:45 PM
CloudFlare customers are automatically protected against the recently disclosed DROWN Attack. We do not have SSLv2 enabled on our servers....
MORE POSTS
February 11, 2016 12:49 AM
Change the (S)Channel! Deconstructing the Microsoft TLS Session Resumption bug
Several months ago we started hearing occasional reports from .NET developers that they were having trouble maintaining HTTPS sessions with one of our customer’s websites. ...
- By
December 17, 2015 6:05 PM
A Different Kind of POP: The Joomla Unserialize Vulnerability
At CloudFlare, we spend a lot of time talking about the PoPs (Points of Presence) we have around the globe, however, on December 14th, another kind of POP came to the world: a vulnerability being exploited in the wild against Joomla’s Content Management System....
- By
August 04, 2015 10:36 AM
A deep look at CVE-2015-5477 and how CloudFlare Virtual DNS customers are protected
Last week ISC published a patch for a critical remotely exploitable vulnerability in the BIND9 DNS server capable of causing a crash with a single packet. ...
- By
May 20, 2015 11:52 PM
Logjam: the latest TLS vulnerability explained
Yesterday, a group from INRIA, Microsoft Research, Johns Hopkins, the University of Michigan, and the University of Pennsylvania published a deep analysis of the Diffie-Hellman algorithm as used in TLS and other protocols. ...
- By
April 25, 2015 3:57 AM
New Magento WAF Rule – RCE Vulnerability Protection
Today the Magento Security Team created a new ModSecurity rule and added it to our WAF rules to mitigate an important RCE (remote code execution) vulnerability in the Magento web e-commerce platform....
- By
April 15, 2015 1:48 PM
Protection against critical Windows vulnerability (CVE-2015-1635)
A few hours ago, more details surfaced about the MS15-034 vulnerability. Simple PoC code has been widely published that will hang a Windows web server if sent a request with an HTTP Range header containing large byte offsets....
- By
March 19, 2015 3:15 PM
OpenSSL Security Advisory of 19 March 2015
Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet)....
- By
March 04, 2015 12:32 AM
No upgrade needed: CloudFlare sites already protected from FREAK
The newly announced FREAK vulnerability is not a concern for CloudFlare's SSL customers. We do not support 'export grade' cryptography (which, by its nature, is weak) and we upgraded to the non-vulnerable version of OpenSSL the day it was released in early January....
- By
October 16, 2014 9:05 AM
Drupal 7 SA-CORE-2014-005 SQL Injection Protection
Yesterday the Drupal Security Team released a critical security patch for Drupal 7 that fixes a very serious SQL injection vulnerability....
- By
October 14, 2014 9:37 PM
SSLv3 Support Disabled By Default Due to POODLE Vulnerability
For the last week we've been tracking rumors about a new vulnerability in SSL. This specific vulnerability, which was just announced, targets SSLv3. ...
- By
October 14, 2014 12:16 PM
Automatic protection for common web platforms
If you are a CloudFlare Pro or above customer you enjoy the protection of the CloudFlare WAF. If you use one of the common web platforms, such as WordPress, Drupal, Plone, WHMCS, or Joomla, then it's worth checking if the relevant CloudFlare WAF ruleset is enabled....
- By
September 30, 2014 10:38 PM
Inside Shellshock: How hackers are using it to exploit systems
On Wednesday of last week, details of the Shellshock bash bug emerged. This bug started a scramble to patch computers, servers, routers, firewalls, and other computing appliances using vulnerable versions of bash....
- By
September 24, 2014 5:12 PM
Bash vulnerability CVE-2014-6271 patched
This morning, Stephane Chazelas [disclosed](http://seclists.org/oss-sec/2014/q3/649) a vulnerability in the program bash, the GNU Bourne-Again-Shell. ...
- By
August 18, 2014 11:00 AM
Tinfoil Security vulnerability scanning now easy in CloudFlare Apps
We’re pleased to introduce a new CloudFlare App: Tinfoil Security. Tinfoil Security is a service designed to find possible web application vulnerabilities....
- By