The Cloudflare Blog

Subscribe to receive notifications of new posts:

Protection against critical Windows vulnerability (CVE-2015-1635)

04/15/2015

Ben Cartwright-Cox

1 min read

8.1 Crash

A few hours ago, more details surfaced about the MS15-034 vulnerability. Simple PoC code has been widely published that will hang a Windows web server if sent a request with an HTTP Range header containing large byte offsets.

We have rolled out a WAF rule that blocks these requests.

Customers on a paid plan and who have the WAF enabled are automatically protected against this problem. It is highly recommended that you upgrade your IIS and your Windows servers as soon as possible; in the meantime any requests coming into CloudFlare that try and exploit this DoS/RCE will be blocked.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.

Vulnerabilities WAF Rules WAF

Follow on X

Cloudflare|@cloudflare

March 07, 2024 2:00 PM

General availability for WAF Content Scanning for file malware protection

Announcing the General Availability of WAF Content Scanning, protecting your web applications and APIs from malware by scanning files in-transit...

Security Week, WAF, WAF Rules, Content Scanning, Product News, General Availability, Anti Malware

January 23, 2024 2:00 PM

How Cloudflare’s AI WAF proactively detected the Ivanti Connect Secure critical zero-day vulnerability

The issuance of Emergency Rules by Cloudflare on January 17, 2024, helped give customers a big advantage in dealing with these threats...

Vulnerabilities, WAF Rules, WAF, WAF Attack Score, Zero Day Threats, AI WAF

December 15, 2021 1:56 PM

Protection against CVE-2021-45046, the additional Log4j RCE vulnerability

This vulnerability is actively being exploited and anyone using Log4J should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0. The latest version can be found on the Log4J download page....

Gabriel Gabor,
Andre Bluehs

Log4J, Log4Shell, WAF Rules, Security, Vulnerabilities

December 10, 2021 6:36 PM

Inside the Log4j2 vulnerability (CVE-2021-44228)

In this post we explain the history of this vulnerability, how it was introduced, how Cloudflare is protecting our clients. We will update later with actual attempted exploitation we are seeing blocked by our firewall service....

John Graham-Cumming

Vulnerabilities, Zero Day Threats, Security, WAF Rules, Log4J, Log4Shell