Vulnerabilities - The Cloudflare Blog

Cloudflare observations of Confluence zero day (CVE-2022-26134)

June 05, 2022 9:54PM

On 2022-06-02 at 20:00 UTC Atlassian released a Security Advisory relating to a remote code execution (RCE) vulnerability affecting Confluence Server and Confluence Data Center products. This post covers our current analysis of this vulnerability...

Cloudflare customers are protected from the Atlassian Confluence CVE-2022-26134

June 03, 2022 6:30AM

Vulnerabilities CVE

On June 02, 2022 Atlassian released a security advisory for their Confluence Server and Data Center applications, highlighting a critical severity unauthenticated remote code execution vulnerability....

Cloudflare’s approach to handling BMC vulnerabilities

May 26, 2022 2:17PM

Vulnerabilities Hardware Security

Cloudflare’s approach to handling firmware vulnerabilities and how we keep our internal data protected...

The Cloudflare Bug Bounty program and Cloudflare Pages

May 06, 2022 2:00PM

Bug Bounty Vulnerabilities Security

The Cloudflare Bug Bounty has resulted in numerous security improvements to Cloudflare Pages...

WAF mitigations for Spring4Shell

March 31, 2022 4:13PM

WAF Security CVE Vulnerabilities

Cloudflare Managed Ruleset updates for the recent vulnerabilities affecting the Java Spring framework and related software components...

March 29, 2022 4:51PM

CVE-2022-1096: How Cloudflare Zero Trust provides protection from zero day browser vulnerabilities

CVE-2022-1096 is yet another zero day vulnerability affecting web browsers. Cloudflare zero trust mitigates the risk of zero day attacks in the browser and has been patched...

By

Tim Obezuk

Browser Isolation , Remote Browser Isolation , RBI , Zero Day Threats , Zero Trust

March 08, 2022 3:22PM

CVE-2022-26143: A Zero-Day vulnerability for launching UDP amplification DDoS attacks

A zero-day vulnerability in the Mitel MiCollab business phone system has recently been discovered (CVE-2022-26143). This vulnerability, called TP240PhoneHome, which Cloudflare customers are already protected against, can be used to launch UDP amplification attacks...

By

Omer Yoachimik
, Alex Forster

DDoS , Zero-Day , Attacks , Managed Rules , Mitel

March 08, 2022 2:59PM

CVE-2022-26143: TP240PhoneHome reflection/amplification DDoS attack vector

A new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks...

By

Alex Forster

DDoS , Vulnerabilities , Mitel

February 01, 2022 5:28PM

Announcing the public launch of Cloudflare's bug bounty program

Today we are launching Cloudflare’s paid public bug bounty program. We believe bug bounties are a vital part of every security team’s toolbox and have been working hard on improving and expanding our private bug bounty program over the last few years...

By

Rushil Shah

Security , Vulnerabilities , HackerOne

December 15, 2021 1:56PM

Protection against CVE-2021-45046, the additional Log4j RCE vulnerability

This vulnerability is actively being exploited and anyone using Log4J should update to version 2.16.0 as soon as possible, even if you have previously updated to 2.15.0. The latest version can be found on the Log4J download page....

By

Gabriel Gabor
, Andre Bluehs

Log4J , Log4Shell , WAF Rules , Security , Vulnerabilities

December 14, 2021 5:48PM

Exploitation of Log4j CVE-2021-44228 before public disclosure and evolution of evasion and exfiltration

In this blog post we will cover WAF evasion patterns and exfiltration attempts seen in the wild, trend data on attempted exploitation, and information on exploitation that we saw prior to the public disclosure of CVE-2021-44228....

By

John Graham-Cumming
, Celso Martinho

Log4J , Log4Shell , Vulnerabilities , WAF , Security

December 14, 2021 10:23AM

Sanitizing Cloudflare Logs to protect customers from the Log4j vulnerability

Many Cloudflare customers consume their logs using software that uses Log4j, so we are mitigating any exploit attempts via Cloudflare Logs....

By

Jon Levine
, Sohei Okamoto

Logs , Vulnerabilities , Zero Day Threats , Security , Log4J

December 10, 2021 11:39PM

How Cloudflare security responded to Log4j 2 vulnerability

Yesterday, December 9, 2021, when a serious vulnerability in the popular Java-based logging package log4j was publicly disclosed, our security teams jumped into action to help respond to the first question and answer the second question. This post explores the second....

By

Rushil Shah
, Thomas Calderon

Vulnerabilities , Security , Log4J , Log4Shell

December 10, 2021 9:06PM

Actual CVE-2021-44228 payloads captured in the wild

I wrote earlier about how to mitigate CVE-2021-44228 in Log4j, how the vulnerability came about and Cloudflare’s mitigations for our customers. As I write we are rolling out protection for our FREE customers as well because of the vulnerability’s severity....

By

John Graham-Cumming

Vulnerabilities , Security , Page Rules , Log4J , Log4Shell