Vulnerabilities - Page 1 - Cloudflare Blog

Protecting everyone from WordPress Content Injection

Published on February 1st, 2017 4:53PM by Ben Cartwright-Cox.

Today a severe vulnerability was announced by the WordPress Security Team that allows unauthenticated users to change content on a site using unpatched (below version 4.7.2) WordPress. CC BY-SA 2.0 image by Nicola Sap De Mitri The problem was found by the team at Sucuri and reported

CloudFlare sites protected from httpoxy

Published on July 18th, 2016 3:26PM by Ben Cartwright-Cox.

CC BY 2.0 image by Joe Seggiola We have rolled out automatic protection for all customers for the the newly announced vulnerability called httpoxy. This vulnerability affects applications that use “classic” CGI execution models, and could lead to API token disclosure of the services that your application may talk

Yet Another Padding Oracle in OpenSSL CBC Ciphersuites

Published on May 4th, 2016 12:20PM by Filippo Valsorda.

Yesterday a new vulnerability has been announced in OpenSSL/LibreSSL. A padding oracle in CBC mode decryption, to be precise. Just like Lucky13. Actually, it’s in the code that fixes Lucky13. It was found by Juraj Somorovsky using a tool he developed called TLS-Attacker. Like in the “old days”

OpenSSL Security Advisory of 19 March 2015

Published on March 19th, 2015 3:15PM by Ryan Lackey.

Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet). There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until

No upgrade needed: CloudFlare sites already protected from FREAK

Published on March 4th, 2015 12:32AM by John Graham-Cumming.

The newly announced FREAK vulnerability is not a concern for CloudFlare's SSL customers. We do not support 'export grade' cryptography (which, by its nature, is weak) and we upgraded to the non-vulnerable version of OpenSSL the day it was released in early January. CC BY 2.0 image by Stuart

SSLv3 Support Disabled By Default Due to POODLE Vulnerability

Published on October 14th, 2014 9:37PM by Matthew Prince.

For the last week we've been tracking rumors about a new vulnerability in SSL. This specific vulnerability, which was just announced, targets SSLv3. The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows

Automatic protection for common web platforms

Published on October 14th, 2014 12:16PM by John Graham-Cumming.

If you are a CloudFlare Pro or above customer you enjoy the protection of the CloudFlare WAF. If you use one of the common web platforms, such as WordPress, Drupal, Plone, WHMCS, or Joomla, then it's worth checking if the relevant CloudFlare WAF ruleset is enabled. That's because CloudFlare pushes

Inside Shellshock: How hackers are using it to exploit systems

Published on September 30th, 2014 10:38PM by John Graham-Cumming.

On Wednesday of last week, details of the Shellshock bash bug emerged. This bug started a scramble to patch computers, servers, routers, firewalls, and other computing appliances using vulnerable versions of bash. CloudFlare immediately rolled out protection for Pro, Business, and Enterprise customers through our Web Application Firewall. On Sunday,