Cloudflare last week announced that it has fixed the Cloudbleed software bug responsible for a buffer overrun problem that caused its edge servers to return private information in response to some HTTP requests. That private information included HTTP cookies, authentication tokens and HTTP POST bodies. However, SSL private keys weren't leaked, said Cloudflare CTO John Graham-Cumming in an online post. "This happened in response to a very small number of requests in the Cloudflare system -- about 1 in 3.3 million," a Cloudflare spokesperson said in a statement provided to TechNewsWorld by company rep Katie Warmuth. Some of that data had been cached by search engines. Cloudflare reviewed the available related cached information and "took comprehensive steps to clean up any residual material found in storage caches," the spokesperson noted.
All identified episodes have been cleaned, and Cloudflare continues to work to confirm whether other residue persists. There are at least 16 other search engines on the Web apart from Google, including Bing and Duck Duck Go. Tavis Ormandy, a vulnerability researcher with Google's Project Zero, notified Cloudflare about the problem on Feb. 17. The memory leak occurred from September to Feb. 18, with the greatest period of impact being from Feb. 13-18. A bug in Cloudflare's Ragel-based parser was the cause. It had been dormant for years, but came alive last year, when Cloudflare began replacing the Ragel-based parser with a new one it wrote, named "cf-html." The switchover subtly changed the buffering, which enabled the leakage. The problem lay with Cloudflare's implementation of the Ragel-based parser it was using, and not with the parser itself or with cf-html. When it learned of the problem, Cloudflare turned off three features -- email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites -- that used the parser chain causing the leakage. The Email Obfuscation feature, which was changed on Feb. 13, was the primary cause of the leaked memory, Cloudflare's Graham-Cumming said. Cloudflare worked with Google and other search engines to remove any cached HTTP responses. The initial mitigation took 47 minutes, and the team completed global mitigation in less than seven hours. The industry standard is usually three months, Graham-Cumming noted. Cloudflare "responded incredibly swiftly and effectively to identify and remediate the bug, and work with search engines around the world to purge any sensitive data cached by their crawlers before it could be exposed to the public," Tripwire Principal Security Researcher Craig Young told TechNewsWorld. The Gravity of the Problem
.jpg)
.JPG)
