1 Like
How do I confirm that the rules are enabled? When I go to Firewall → Managed Rules → Package: OWASP ModSecurity Core Rule Set → Advanced and search for both “Log4j” and the specific rule ids, no results are returned.
You will find them under Cloudflare Managed Ruleset, not the OWASP Rule Set.
3 Likes
Hi, I’ve received the Apache Log4j e-mail and the information is a little conflicting, do I actually need to do anything regarding a download or something specific on my server? I’m a free account user of CF.
I believe you need to be a paid user, pro upwards, and use the WAF rules to be protected against this but once you have updated you are safe.
However, if you do not use Log4j, then you need not worry, count it in with the thousands of other exploits your get probed for daily.
1 Like
No, Log4j vulnerabilities are patched on free plans too.
3 Likes
So this is just a CF thing and nothing to concern myself with in a broader sense like getting in touch with my web host?
No, you should mitigate this vector if any of your services rely on it. Cloudflare is a patch on the problem. As strong as CF WAF is, somebody could obfuscate the payload to bypass the detections, exploiting vulnerable endpoints.
Play it safe; this is the most severe vulnerability of the year IMO.
3 Likes
Thank you. 
1 Like
Thanks for replying.
1 Like
What is the logic that Cloudflare is using to determine when the rule is activated? Also, how would I be able to determine in the logs whether a site of mine is being hit and and this rule has been used?
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.