On the 30th of June 2021, the OWASP community announced a bypass that affects the OWASP Core Ruleset. Cloudflare provides the OWASP Core Ruleset as part of the WAF product.
Cloudflare is not affected by this bypass and any customers using the OWASP Core Ruleset within the Cloudflare WAF do not need to worry about this announcement.
The bypass affects all OWASP implementations that import the OWASP rule exclusion packages. As Cloudflare does not import these packages, we are not affected. The bypass allows attackers to bypass the entire ruleset deployment and any relevant protections provided by it.
What is OWASP?
The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
What is the OWASP Core Ruleset?
The OWASP ModSecurity Core Ruleset (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. Cloudflare imports these rules into the WAF as one of our Managed Rulesets.
For any questions, please drop them in this thread, and we will get back to you asap.