On December 9th, 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. To mitigate attacks, Cloudflare has deployed mitigation rules for all of our customers.
Log4j is a popular open source software library that is used to log web application activity to logs in memory. These files often contain information coming from outside an organization — for instance, a User-Agent string that is sent by a browser along with an HTTP request.
Unfortunately, a flaw in Log4j means that by using special characters in logged data, it is possible to get a machine inside a company to run code that an attacker controls. Through an attack known as remote code execution (RCE), attackers can gain a foothold into what would normally be a secure, protected system.
In response to the Log4j vulnerability, Cloudflare has rolled out basic protections to all customers, irrespective of their plan type. As this vulnerability is actively being exploited, Log4j users should update to the latest version as soon as possible.
Cloudflare WAF now includes four rules to help mitigate any exploit attempts. See this blog post for details on how to enable these rules.
In addition, Cloudflare rolled out a config option for our Logpush service to find and replace known exploit strings in Cloudflare logs to help mitigate the impact of this vulnerability.