Incident Report On Memory Leak Induced

提供:鈴木広大
2025年9月15日 (月) 09:44時点におけるAmberTrevizo3 (トーク | 投稿記録)による版 (ページの作成:「<br>Final Friday, Tavis Ormandy from Google’s Mission Zero contacted Cloudflare to report a security drawback with our edge servers. He was seeing corrupted internet pages being returned by some HTTP requests run via Cloudflare. It turned out that in some unusual circumstances, which I’ll detail below, our edge servers had been working previous the top of a buffer and returning memory that contained personal info such as HTTP cookies, authentication tokens, [ht…」)
(差分) ← 古い版 | 最新版 (差分) | 新しい版 → (差分)
ナビゲーションに移動 検索に移動


Final Friday, Tavis Ormandy from Google’s Mission Zero contacted Cloudflare to report a security drawback with our edge servers. He was seeing corrupted internet pages being returned by some HTTP requests run via Cloudflare. It turned out that in some unusual circumstances, which I’ll detail below, our edge servers had been working previous the top of a buffer and returning memory that contained personal info such as HTTP cookies, authentication tokens, memory improvement solution HTTP Publish bodies, and other sensitive knowledge. And a few of that information had been cached by search engines like google. For the avoidance of doubt, Cloudflare buyer SSL private keys were not leaked. Cloudflare has always terminated SSL connections via an isolated occasion of NGINX that was not affected by this bug. We quickly recognized the issue and turned off three minor Cloudflare options (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all utilizing the same HTML parser chain that was inflicting the leakage. At that time it was now not doable for memory to be returned in an HTTP response.



Due to the seriousness of such a bug, a cross-purposeful team from software program engineering, infosec and operations formed in San Francisco and London to completely understand the underlying trigger, to understand the effect of the memory leakage, and to work with Google and other serps to remove any cached HTTP responses. Having a global workforce meant that, at 12 hour intervals, work was handed over between workplaces enabling workers to work on the issue 24 hours a day. The workforce has labored repeatedly to ensure that this bug and its penalties are absolutely dealt with. One in every of the benefits of being a service is that bugs can go from reported to mounted in minutes to hours as an alternative of months. The trade normal time allowed to deploy a repair for a bug like this is often three months; we were fully completed globally in under 7 hours with an initial mitigation in 47 minutes.



The bug was serious as a result of the leaked memory might contain private info and because it had been cached by search engines. We have additionally not found any evidence of malicious exploits of the bug or other reviews of its existence. The greatest period of influence was from February thirteen and February 18 with around 1 in every 3,300,000 HTTP requests by Cloudflare probably resulting in memory leakage (that’s about 0.00003% of requests). We're grateful that it was found by one of the world’s prime security analysis teams and reported to us. This weblog put up is relatively long however, as is our tradition, we choose to be open and technically detailed about problems that occur with our service. Lots of Cloudflare’s services depend on parsing and modifying HTML pages as they go through our edge servers. For instance, Memory Wave we can insert the Google Analytics tag, safely rewrite http:// hyperlinks to https://, exclude elements of a page from bad bots, obfuscate e-mail addresses, allow AMP, and more by modifying the HTML of a page.



To switch the web page, we need to learn and parse the HTML to find components that need altering. Since the very early days of Cloudflare, we’ve used a parser written using Ragel. A single .rl file incorporates an HTML parser used for all of the on-the-fly HTML modifications that Cloudflare performs. About a 12 months in the past we decided that the Ragel-based mostly parser had turn out to be too complicated to maintain and we started to write down a new parser, named cf-html, to substitute it. This streaming parser works appropriately with HTML5 and is far, much sooner and simpler to keep up. We first used this new parser for the Automated HTTP Rewrites feature and have been slowly migrating functionality that uses the previous Ragel parser to cf-html. Each cf-html and the previous Ragel parser are implemented as NGINX modules compiled into our NGINX builds. These NGINX filter modules parse buffers (blocks of memory) containing HTML responses, make modifications as needed, and pass the buffers onto the following filter.



For the avoidance of doubt: the bug will not be in Ragel itself. 39;s use of Ragel. That is our bug and not the fault of Ragel. It turned out that the underlying bug that prompted the memory improvement solution leak had been present in our Ragel-based mostly parser for a few years but no memory was leaked due to the way in which the internal NGINX buffers were used. Introducing cf-html subtly changed the buffering which enabled the leakage despite the fact that there have been no problems in cf-html itself. Once we knew that the bug was being attributable to the activation of cf-html (but earlier than we knew why) we disabled the three features that triggered it to be used. Every characteristic Cloudflare ships has a corresponding function flag, which we name a ‘global kill’. We activated the email Obfuscation global kill forty seven minutes after receiving particulars of the issue and the Computerized HTTPS Rewrites global kill 3h05m later.

https://harry.main.jp/mediawiki/index.php?title=Incident_Report_On_Memory_Leak_Induced&oldid=10035929」から取得