Vulnerabilities - The Cloudflare Blog

September 28, 2019 10:54PM

Cloudflare’s protection against a new Remote Code Execution vulnerability (CVE-2019-16759) in vBulletin

Cloudflare has released a new rule as part of its Cloudflare Specials Rulesets, to protect our customers against a high-severity vulnerability in vBulletin. A new zero-day vulnerability was discovered for vBulletin, a proprietary Internet forum software....

August 13, 2019 5:00PM

On the recent HTTP/2 DoS attacks

Vulnerabilities DDoS HTTP2

Today, multiple Denial of Service (DoS) vulnerabilities were disclosed for a number of HTTP/2 server implementations. Cloudflare uses NGINX for HTTP/2. Customers using Cloudflare are already protected against these attacks....

Nafeez

May 28, 2019 6:45PM

Stopping SharePoint’s CVE-2019-0604

WAF Vulnerabilities Security

On Saturday, 11th May 2019, we got the news of a critical web vulnerability being actively exploited in the wild by advanced persistent threats (APTs), affecting Microsoft’s SharePoint server (versions 2010 through 2019)....

Georgie Yoxall

September 05, 2018 2:58PM

Protection from Struts Remote Code Execution Vulnerability (S2-057)

Attacks Vulnerabilities Reliability

On August 22 a new vulnerability in the Apache Struts framework was announced. We quickly deployed a mitigation to protect customers....

Richard Sommerville

August 20, 2018 3:53PM

How Cloudflare protects customers from cache poisoning

Vulnerabilities Cache Security

A few days ago, Cloudflare — along with the rest of the world — learned of a "practical" cache poisoning attack. In this post I’ll walk through the attack and explain how Cloudflare mitigated it for our customers....

Jon Levine

April 24, 2018 10:31PM

BGP leaks and cryptocurrencies

Over the few last hours, a dozen news stories have broken about how an attacker attempted (and perhaps managed) to steal cryptocurrencies using a BGP leak....

By

Louis Poinsignon

BGP , Crypto , TLS , HTTPS , Security

April 20, 2018 4:14PM

Keeping Drupal sites safe with Cloudflare's WAF

Cloudflare’s team of security analysts monitor for upcoming threats and vulnerabilities and where possible put protection in place for upcoming threats before they compromise our customers....

By

Maitane Zotes

WAF , Drupal , Vulnerabilities , WAF rule

March 29, 2018 4:10AM

Cloudflare is adding Drupal WAF Rule to Mitigate Critical Drupal Exploit

Drupal has recently announced an update to fix a critical remote code execution exploit (SA-CORE-2018-002/CVE-2018-7600). This patch is to disallow forms and form fields from starting with the “#” character....

By

Pasha Kravtsov

WAF rule , Drupal , Attacks , Vulnerabilities , WAF

February 27, 2018 2:38PM

Memcrashed - Major amplification attacks from UDP port 11211

Over last couple of days we've seen a big increase in an obscure amplification attack vector - using the memcached protocol, coming from UDP port 11211. In the past, we have talked a lot about amplification attacks happening on the internet....

By

Marek Majkowski

DDoS , Developers , Mitigation , Reliability , Attacks

January 19, 2018 5:38PM

Web Cache Deception Attack revisited

In April, we wrote about Web Cache Deception attacks, and how our customers can avoid them using origin configuration. Since our previous blog post, we have looked for but have not seen any large scale attacks like this in the wild....

By

Ka-Hing Cheung

Attacks , Tips , Page Rules , Vulnerabilities , Security

January 18, 2018 12:06PM

However improbable: The story of a processor bug

Processor problems have been in the news lately, due to the Meltdown and Spectre vulnerabilities. But generally, engineers writing software assume that computer hardware operates in a reliable, well-understood fashion, and that any problems lie on the software side of the software-hardware divide....

By

David Wragg

Reliability , Bugs , Vulnerabilities , NGINX

January 08, 2018 6:57PM

An Explanation of the Meltdown/Spectre Bugs for a Non-Technical Audience

Last week the news of two significant computer bugs was announced. They've been dubbed Meltdown and Spectre and they take advantage of very technical systems that modern CPUs have implemented to make computers extremely fast....

By

John Graham-Cumming

Bugs , Security , Vulnerabilities

December 22, 2017 2:17PM

Technical reading from the Cloudflare blog for the holidays

During 2017 Cloudflare published 172 blog posts (including this one). If you need a distraction from the holiday festivities at this time of year here are some highlights from the year....

By

John Graham-Cumming

Year in Review , Product News , LavaRand , DDoS , Botnet

December 14, 2017 7:41PM

Inside the infamous Mirai IoT Botnet: A Retrospective Analysis

This post provides a retrospective analysis of Mirai — the infamous Internet-of-Things botnet that took down major websites via massive distributed denial-of-service using hundreds of thousands of compromised Internet-Of-Things devices....

By

Guest Author

DDoS , Guest Post , Reliability , Attacks , Botnet