In December 2021, a very serious vulnerability in the popular Java-based logging package Log4j was disclosed. To mitigate attacks, Cloudflare deployed mitigation rules for all of our customers.
At-Bay and Cloudflare are working together to help customers mitigate Log4j attacks. We are advising all our customers to use a Web Application Firewall (WAF) for enhanced security via built-in rulesets created to stop a wide range of cyber threats, including Log4j.
We also recommend that all organizations using Log4j immediately update to the latest version to mitigate exploit attacks.
Follow the steps on this detailed support page to complete the account setup. Cloudflare Pro plan will be preselected for you
Put your applications behind Cloudflare WAF. You can control WAF settings via the Cloudflare Firewall app under the Managed Rules tab. More details here
Log4j is a popular open source software library that is used to log web application activity to logs in memory. These files often contain information coming from outside an organization — for instance, a User-Agent string that is sent by a browser along with an HTTP request.
Unfortunately, a flaw in Log4j meant that by using special characters in data that is logged, it is possible to get a machine inside a company to run code that an attacker controls. Through an attack known as remote code execution (RCE), attackers can gain a foothold into what would normally be a secure, protected system.
In response to the Log4j vulnerability, Cloudflare has rolled out protections to all customers. For customers using Cloudflare WAF, we have released four rules to help mitigate any exploit attempts. See this blog post for more details.
In addition, Cloudflare also rolled out a config option for our Logpush service to find and replace known exploit strings in Cloudflare logs to help mitigate the impact of this vulnerability.
A key piece to managing cyber risk is a strong security posture, which is why we suggest organizations deploy Cloudflare application security. Customers subscribing to Cloudflare’s plans will automatically receive mitigation against this Log4j vulnerability.