How Cloudflare Images addressed the aCropalypse vulnerability
July 10, 2023 1:00 PM
Customers using Cloudflare Images or Image Resizing products are protected against the aCropalypse vulnerability. ...
SLP: a new DDoS amplification vector in the wild
April 25, 2023 1:07 PM
Researchers have recently published the discovery of a new DDoS reflection/amplification attack vector leveraging the SLP protocol. Cloudflare expects the prevalence of SLP-based DDoS attacks to rise in the coming weeks...
CVE-2022-47929: traffic control noqueue no problem?
January 31, 2023 2:00 PM
In the Linux kernel before 6.1.6, a NULL pointer dereference bug in the traffic control subsystem allows an unprivileged user to trigger a denial of service (system crash) via a crafted traffic control configuration that is set up with "tc qdisc" and "tc class" commands....
Cloudflare is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786
November 02, 2022 9:31 AM
Information on CVE-2022-3602 and CVE-2022-3786, and why Cloudflare was not impacted...
Cloudflare observations of Confluence zero day (CVE-2022-26134)
June 05, 2022 8:54 PM
UTC Atlassian released a Security Advisory relating to a remote code execution (RCE) vulnerability affecting Confluence Server and Confluence Data Center products....
MORE POSTS
May 26, 2022 1:17 PM
Cloudflare’s approach to handling BMC vulnerabilities
Cloudflare’s approach to handling firmware vulnerabilities and how we keep our internal data protected...
- By
May 06, 2022 1:00 PM
The Cloudflare Bug Bounty program and Cloudflare Pages
The Cloudflare Bug Bounty has resulted in numerous security improvements to Cloudflare Pages...
- By
March 31, 2022 3:13 PM
WAF mitigations for Spring4Shell
Cloudflare Managed Ruleset updates for the recent vulnerabilities affecting the Java Spring framework and related software components...
- By
March 29, 2022 3:51 PM
CVE-2022-1096: How Cloudflare Zero Trust provides protection from zero day browser vulnerabilities
CVE-2022-1096 is yet another zero day vulnerability affecting web browsers. Cloudflare zero trust mitigates the risk of zero day attacks in the browser and has been patched...
- By
March 08, 2022 3:22 PM
CVE-2022-26143: A Zero-Day vulnerability for launching UDP amplification DDoS attacks
A zero-day vulnerability in the Mitel MiCollab business phone system has recently been discovered (CVE-2022-26143). This vulnerability, called TP240PhoneHome, which Cloudflare customers are already protected against, can be used to launch UDP amplification attacks...
- By
March 08, 2022 2:59 PM
CVE-2022-26143: TP240PhoneHome reflection/amplification DDoS attack vector
A new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks...
- By
February 01, 2022 5:28 PM
Announcing the public launch of Cloudflare's bug bounty program
Today we are launching Cloudflare’s paid public bug bounty program. We believe bug bounties are a vital part of every security team’s toolbox....
- By
December 15, 2021 1:56 PM
Protection against CVE-2021-45046, the additional Log4j RCE vulnerability
This vulnerability is actively being exploited and anyone using Log4J should update to version 2.16.0 as soon as possible. Latest version is available on the Log4J download page....
- By
December 14, 2021 5:48 PM
Exploitation of Log4j CVE-2021-44228 before public disclosure and evolution of evasion and exfiltration
This article covers WAF evasion patterns and exfiltration attempts, trend data on attempted exploitation, and information on exploitation that we saw prior to the public disclosure of CVE-2021-44228....
- By
December 14, 2021 10:23 AM
Sanitizing Cloudflare Logs to protect customers from the Log4j vulnerability
Many Cloudflare customers consume their logs using software that uses Log4j, so we are mitigating any exploit attempts via Cloudflare Logs....
- By
December 10, 2021 11:39 PM
How Cloudflare security responded to Log4j 2 vulnerability
Yesterday, December 9, 2021, when a serious vulnerability in the popular Java-based logging package log4j was publicly disclosed, our security teams jumped into action to help respond to the first question and answer the second question. This post explores the second....
- By
December 10, 2021 9:06 PM
Actual CVE-2021-44228 payloads captured in the wild
I wrote earlier about how to mitigate CVE-2021-44228 in Log4j, how the vulnerability came about and Cloudflare’s mitigations for our customers. As I write we are rolling out protection for our FREE customers as well because of the vulnerability’s severity....
- By
December 10, 2021 6:36 PM
Inside the Log4j2 vulnerability (CVE-2021-44228)
In this post we explain the history of this vulnerability, how it was introduced, how Cloudflare is protecting our clients. We will update later with actual attempted exploitation we are seeing blocked by our firewall service....
- By
December 10, 2021 11:39 AM
CVE-2021-44228 - Log4j RCE 0-day mitigation
A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021, that results in remote code execution (RCE)....
- By