[Security] Cloudflare vulnerability: memory leak caused by parser bug

Created:

2017-02-27 14:25:37 UTC

Modified:

2017-06-08 08:42:15 UTC

0

Was this article helpful?


Have more questions?

Submit a request

[Security] Cloudflare vulnerability: memory leak caused by parser bug

Situation

Cloudflare issued a vulnerability alert on 2017-02-18: memory leak caused by parser bug.

Impact

Vulnerability in Cloudflare parser (which is also known as Cloudbleed) has been recently discovered. Cloudflare edge servers pass the end of a buffer returning memory that contains private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Some of that data can be cached by search engines.

The information flowing through Cloudflare that should have been private can be disclosed. This includes HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens). Because CloudFlare operates a large shared infrastructure, an HTTP request to a CloudFlare website that is vulnerable to this problem can reveal information about another, unrelated Cloudflare site.

Call to Action

A fix is already applied on Cloudflare servers worldwide. Moreover, all compromised private data has been deleted from a cache of the most popular search engines. However, if the Cloudflare extension was used for a website between September 2016 and February 2017, particular actions are recommended to protect their data:

  1. Invalidate all sessions for your website and make sure that login cookies for site visitors are invalid: solution for WordPress, solution for Joomla
  2. Change you website's administrative accounts password (CMS administrators password, if any).
  3. Suggest the other accounts' owners change their passwords for the website.  

Additional information

Cloudflare announcement: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

Tavis Ormandy's blog: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Tavis is a Google representative who found this bug and reported it to Cloudflare.

 

Have more questions? Submit a request
Please sign in to leave a comment.