Minecraft / Blogs

Cloudflare Memory Leak Bug Update

  • 38
  • 5
  • playlist_add
  • share
  • more_horiz
avatar PMC
Support
Level 72 : Legendary Cake
5,437
You may have already heard about the Cloudflare memory leak reported in their official blog post. It's being reported today by many of the 4,287,625 possibly affected domains receiving notice of the issue.

This morning, at 7am EST, we received an email from Cloudflare notifying us of the now patched bug and summarizing the current status of their findings.

From the blog posts and email below, we understand the Cloudflare memory leak bug affected all of their 4+ millions sites but they have "yet to find any instance of the bug being exploited". They specifically reached out to the 150 sites they found sensitive information in third party caches, we are not one of the domains and they will reach out to us directly if that changes. However, because of how wide spread this bug is, it's a good idea to change your password, particularly if it's weak.

We'll keep the community informed on any further updates from Cloudflare.

The email:

Thursday afternoon, we published a blog post describing a memory leak caused by a serious bug that impacted Cloudflare's systems. If you haven't yet, I encourage you to read that post on the bug:

blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

While we resolved the bug within hours of it being reported to us, there was an ongoing risk that some of our customers' sensitive information would still be available through third party caches, such as the Google search cache.

Over the last week, we've worked with these caches to discover what customers may have had sensitive information exposed and ensure that the caches are purged. We waited to disclose the bug publicly until after these caches could be cleared in order to mitigate the ability of malicious individuals to exploit any exposed data.

In our review of these third party caches, we discovered exposed data on approximately 150 of Cloudflare's customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.

Your domain is not one of the domains where we have discovered exposed data in any third party caches. The bug has been patched so it is no longer leaking data. However, we continue to work with these caches to review their records and help them purge any exposed data we find. If we discover any data leaked about your domains during this search, we will reach out to you directly and provide you full details of what we have found.

To date, we have yet to find any instance of the bug being exploited, but we recommend if you are concerned that you invalidate and reissue any persistent secrets, such as long lived session identifiers, tokens or keys. Due to the nature of the bug, customer SSL keys were not exposed and do not need to be rotated.

Again, if we discover new information that impacts you, we will reach out to you directly. In the meantime, if you have any questions or concerns, please don’t hesitate to reach out.

Matthew Prince
Cloudflare, Inc.
Co-founder and CEO
Tags

Comments : 48

Login or register to post a comment.

Show Comments

1 - 48 of 48

  • ALTRebel
  • Level 1
  • New Miner
  • April 28, 2017, 6:04 pm
Aww i NEVER check this resetting NOW XD
  • Ivain
  • Level 49
  • Master Droid
  • February 28, 2017, 12:55 pm
yep, changed my password as soon as I found you in the list of affected sites.
  • Beverly
  • Level 64
  • High Grandmaster Explorer
  • February 28, 2017, 10:45 am
Ach, that's frightening, but I'm glad you all are working to fix it. :) Thank you very much!
  • lowercase
  • Level 26
  • Expert Princess
  • February 26, 2017, 10:45 pm
thank ya xx
  • abeille
  • Level 27
  • Expert Botanist
  • February 26, 2017, 1:43 pm
.v. scary
  • Thatsmusic99
  • Level 13
  • Journeyman Engineer
  • February 26, 2017, 6:16 am
Thanks for making us all aware. I knew about Discord, however not PMC. Thank goodness most of us have saved ourselves.
  • RiotShielder
  • Level 25
  • Expert Network
  • February 25, 2017, 5:50 pm
"However, because of how wide spread this bug is, it's a good idea to change your password, particularly if it's weak."

Yeah, that's a dumb statement, and it clearly shows the writer doesn't understand the exploit. It doesn't matter how strong your password is once it's leaked.
  • Myraaa
  • Level 60
  • High Grandmaster Sweetheart
  • February 28, 2017, 2:06 pm
"the exploit"

"yet to find any instance of the bug being exploited"
11/10 fact checking
That doesn't make it any less of a vulnerability?
  • Myraaa
  • Level 60
  • High Grandmaster Sweetheart
  • March 6, 2017, 4:46 am
It does, actually. It's like having someone steal your password vs. writing it down at a crowded airport. Sure, there's the chance that some skilled hacker saw you and is planning to hack your account, but it's very slim, and the chance is even slimmer that anyone cares.
Especially since CloudFlare explicitly stated that PMC was not one of the affected sites.
¯\_(ツ)_/¯
Again, the vulnerability is still just as severe. Just because Cloudflare isn't aware of it being exploited while it was active doesn't mean it wasn't.

Also, all CloudFlare sites were potentially vulnerable. PMC was not one of the sites found in third-party caches, but that doesn't mean no data was leaked.
  • Ivain
  • Level 49
  • Master Droid
  • February 28, 2017, 12:56 pm
oh noes, they made a sentence with a few extra words that are not factually correct, however shall I cope!
  • mick_the_mine
  • Level 37
  • Artisan Electrician
  • February 28, 2017, 1:44 am
you do realise that this post is made by the ones running pmc right? and you do realise that changing your password would help right? regardless, check before posting
  • _Insane
  • Level 21
  • Expert Nerd
  • February 26, 2017, 9:01 am
If your password was leaked, wouldn't you want to change your password to something different?
  • Indraft
  • Forum Moderator
  • Level 35
  • Artisan Mountaineer
  • February 26, 2017, 8:02 am
Well aren't you just a little salty
Thank you for the hard work you guys provide on the site. I really hope this bug wasn't exploited and that they got lucky finding it out it hasn't been used or breached. So much for that zero day lol
  • XDscoper420
  • Level 24
  • Expert Engineer
  • February 25, 2017, 12:44 am
I got logged out just now, but I wasn't online then. What does this mean? I'm kinda worried.
  • Jamzs3
  • Level 38
  • Artisan Lego Builder
  • February 24, 2017, 4:02 pm
Who uses cloudflare? (like any common sites I should know about?)
  • null0
  • Level 1
  • New Network
  • February 27, 2017, 5:31 pm
There are plenty of sites that use it actually. You could probably find some if you look it up.
  • Jamzs3
  • Level 38
  • Artisan Lego Builder
  • February 25, 2017, 4:57 pm
thx
  • +1bunbun
  • Level 1
  • New Explorer
  • February 24, 2017, 8:58 pm
Discord, Reddit, and 4chan are a few off the top of my head
  • G-Fiti
  • Retired Moderator
  • Level 49
  • Master Artist
  • February 25, 2017, 4:08 am
Reddit doesn't use Cloudflare btw
  • Luna
  • Level 40
  • Master Architect
  • February 24, 2017, 2:01 pm
Thanks for the heads up <3
I got this email myself this morning, since I have website behind Cloudflare. Quite rare for them to have a bug in their system. Hope they don't find anymore problems in the caches...

Edit: when I started reading some more articles online about it, I found out that it's was leaking like major company data, I guess they're just lucky.. Like Uber, FitBit, 1Password, etc for months....
  • MattsOnMc
  • Level 48
  • Master Dragonborn
  • February 24, 2017, 1:11 pm
I hope they do find it, better found than under the grass (sounds better in dutch)
They really should be better on finding these things, they have been leaking stuff like this up to since Sept. 22.
Here's the list of websites that found leaked sensitive data: github.com/Dorian/doma/blob/master/_data/cloudbleed.yml
  • MattsOnMc
  • Level 48
  • Master Dragonborn
  • February 27, 2017, 2:22 am
I don't think you realise what the scale was of this BUG, nobody at cloudflare had an idea that this was happening. Nobody even had a thought that someone like this COULD happen. If it wasn't for someone from Google's research projects, this would've never been discovered.
I find it stupid that they don't test the code before deploying it and monitor it..
  • MattsOnMc
  • Level 48
  • Master Dragonborn
  • March 2, 2017, 10:54 am
It wasn't exactly an obvious thing that got discovered, who afterall would search for such a weird string in Google. Think about all the bugs that still exist to this day, it could be possible PMC has a server breaking glitch, and by all the testing and using of the system not been found to this day, but one single row of events causes all users to be wiped.
Hackers will look for any ways just to get leaked information....
  • MattsOnMc
  • Level 48
  • Master Dragonborn
  • March 3, 2017, 12:09 pm
I find your definition of a "hacker" is really narrow
  • Ivain
  • Level 49
  • Master Droid
  • February 28, 2017, 1:00 pm
You really think they didn't test the code? What part of "nearly undiscovered" didn't get through?


You can test all you want but if a tiny exploit somewhere escapes your attention what are you gonna do about it? The software is probably hundreds if not thousands of lines of code. Go waterproof that. Enjoy.
I'm pretty sure they run it through dozens of tests, but if they don't think of testing a very specific thing that is the only thing that could have exposed the bug, the bug does not get exposed.
  • yeol
  • Level 43
  • Master Toast
  • February 24, 2017, 7:09 am
but still...
;;')
  • Monotone
  • Level 7
  • Apprentice Hunter
  • February 24, 2017, 5:11 am
Went ahead and changed my password to be safe. Thanks for notifying us so quickly!
  • Ludicrous
  • Site Moderator
  • Level 63
  • High Grandmaster Senpai
  • February 24, 2017, 4:38 am
first

All jokes aside, please do change passwords. Better safe than sorry.
  • comet vomit
  • Level 24
  • Expert Goblin
  • February 24, 2017, 8:38 am
im first to comment on this comment
im first to comment on this comment comment
  • Zitzabis
  • Site Moderator
  • Level 69
  • High Grandmaster Gent
  • February 24, 2017, 4:34 am
Glad you posted this Cyp.
Always bugs me when I see people panicking without fully researching the matter. Kind of like how people do those "I'm posting this so Facebook can no longer steal my data!" kind of stuff on Facebook.
  • Faith
  • Level 38
  • Artisan Bunny
  • February 24, 2017, 4:34 am
So most likely, you just need to change your password (If it is weak) Or are other things going to be effected later on?
  • Zitzabis
  • Site Moderator
  • Level 69
  • High Grandmaster Gent
  • February 24, 2017, 4:36 am
It's one of those things where according to the odds and stuff, you MIGHT be affected. So if you feel uneasy, go ahead and change it. If you feel fairly safe, then you don't need to worry.
  • Wyvern
  • Level 31
  • Artisan Dragon
  • February 24, 2017, 4:32 am
Literally everywhere on Discord and Skype
Skype is literally one of the most insecure things you could use while video chatting with someone, so it's not a surprise if things got leaked from there.
  • Faith
  • Level 38
  • Artisan Bunny
  • February 24, 2017, 4:41 am
Prince Oceanus is right. Skype and discord can easily make people get your IP, or some other information through their system. You really shouldn't be using those to begin with.
Discord's actually pretty good about keeping your IP safe, it's the BetterDiscord thing that got people freaked out. BetterDiscord is pretty buggy and it's no surprise that any information got leaked there, either.
  • Zitzabis
  • Site Moderator
  • Level 69
  • High Grandmaster Gent
  • February 24, 2017, 4:39 am
That's not Skype's fault though. It's Cloudflare that's the problem, not the people who use Cloudflare.
Skype and Discord don't even use Cloudflare...
  • Zitzabis
  • Site Moderator
  • Level 69
  • High Grandmaster Gent
  • February 24, 2017, 11:19 am
Discord used to, but they migrated away from that before Cloudbleed.
Ehh... I remember they're now completely on Amazon Web Services for the hosting..

1 - 48 of 48

Show Comments

Search

Browse

Site

© 2010 - 2018
planetminecraft.com

Welcome