On December 9th, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. To mitigate attacks, Cloudflare has deployed mitigation rules for all of our customers.
Log4j is a popular open source software library that is used to log web application activity to logs in memory. These files often contain information coming from outside an organization — for instance, a User-Agent string that is sent by a browser along with an HTTP request.
Unfortunately, a flaw in Log4j means that by using special characters in logged data, it is possible to get a machine inside a company to run code that an attacker controls. Through an attack known as remote code execution (RCE), attackers can gain a foothold into what would normally be a secure, protected system.
In response to the Log4j vulnerability, Cloudflare has rolled out basic protections to all customers, irrespective of their plan type. As this vulnerability is actively being exploited, Log4j users should update to the latest version as soon as possible.