Vulnerabilities - The Cloudflare Blog

SLP: a new DDoS amplification vector in the wild

April 25, 2023 2:07PM

Researchers have recently published the discovery of a new DDoS reflection/amplification attack vector leveraging the SLP protocol. Cloudflare expects the prevalence of SLP-based DDoS attacks to rise in the coming weeks...

CVE-2022-47929: traffic control noqueue no problem?

January 31, 2023 2:00PM

Linux Security Vulnerabilities CVE

In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands....

Frederick Lawler

Cloudflare is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786

November 02, 2022 9:31AM

Security Vulnerabilities

Information on CVE-2022-3602 and CVE-2022-3786, and why Cloudflare was not impacted...

Cloudflare observations of Confluence zero day (CVE-2022-26134)

June 05, 2022 9:54PM

Vulnerabilities WAF Zero Day Threats

On 2022-06-02 at 20:00 UTC Atlassian released a Security Advisory relating to a remote code execution (RCE) vulnerability affecting Confluence Server and Confluence Data Center products. This post covers our current analysis of this vulnerability...

Cloudflare customers are protected from the Atlassian Confluence CVE-2022-26134

June 03, 2022 6:30AM

Vulnerabilities CVE

On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability....

May 26, 2022 2:17PM

Cloudflare’s approach to handling BMC vulnerabilities

Cloudflare’s approach to handling firmware vulnerabilities and how we keep our internal data protected...

By

Derek Chamorro
, Rebecca Weekly

Vulnerabilities , Hardware , Security

May 06, 2022 2:00PM

The Cloudflare Bug Bounty program and Cloudflare Pages

The Cloudflare Bug Bounty has resulted in numerous security improvements to Cloudflare Pages...

By

Evan Johnson
, Natalie Rogers

Bug Bounty , Vulnerabilities , Security

March 31, 2022 4:13PM

WAF mitigations for Spring4Shell

Cloudflare Managed Ruleset updates for the recent vulnerabilities affecting the Java Spring framework and related software components...

By

Michael Tremante
, Himanshu Anand

WAF , Security , CVE , Vulnerabilities

March 29, 2022 4:51PM

CVE-2022-1096: How Cloudflare Zero Trust provides protection from zero day browser vulnerabilities

CVE-2022-1096 is yet another zero day vulnerability affecting web browsers. Cloudflare zero trust mitigates the risk of zero day attacks in the browser and has been patched...

By

Tim Obezuk

Browser Isolation , Remote Browser Isolation , RBI , Zero Day Threats , Zero Trust

March 08, 2022 3:22PM

CVE-2022-26143: A Zero-Day vulnerability for launching UDP amplification DDoS attacks

A zero-day vulnerability in the Mitel MiCollab business phone system has recently been discovered (CVE-2022-26143). This vulnerability, called TP240PhoneHome, which Cloudflare customers are already protected against, can be used to launch UDP amplification attacks...

By

Omer Yoachimik
, Alex Forster

DDoS , Zero-Day , Attacks , Managed Rules , Mitel

March 08, 2022 2:59PM

CVE-2022-26143: TP240PhoneHome reflection/amplification DDoS attack vector

A new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks...

By

Alex Forster

DDoS , Vulnerabilities , Mitel

February 01, 2022 5:28PM

Announcing the public launch of Cloudflare's bug bounty program

Today we are launching Cloudflare’s paid public bug bounty program. We believe bug bounties are a vital part of every security team’s toolbox and have been working hard on improving and expanding our private bug bounty program over the last few years...

By

Rushil Shah

Security , Vulnerabilities , HackerOne

December 15, 2021 1:56PM

Protection against CVE-2021-45046, the additional Log4j RCE vulnerability

This vulnerability is actively being exploited and anyone using Log4J should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0. The latest version can be found on the Log4J download page....

By

Gabriel Gabor
, Andre Bluehs

Log4J , Log4Shell , WAF Rules , Security , Vulnerabilities

December 14, 2021 5:48PM

Exploitation of Log4j CVE-2021-44228 before public disclosure and evolution of evasion and exfiltration

In this blog post we will cover WAF evasion patterns and exfiltration attempts seen in the wild, trend data on attempted exploitation, and information on exploitation that we saw prior to the public disclosure of CVE-2021-44228....

By

John Graham-Cumming
, Celso Martinho

Log4J , Log4Shell , Vulnerabilities , WAF , Security