WAF Rule Updates

Cloudflare's Web Application Firewall received a new batch of improvements designed to strengthen detection capabilities across multiple attack vectors. The release focuses on expanding coverage against broad classes of web attacks and improving behavioral detection resilience.

New Detections

Three new command injection detection rules have been added to the Cloudflare Managed Ruleset:

• Command Injection - Generic 9 - URI Vector: Detects command injection attempts in URL parameters
• Command Injection - Generic 9 - Header Vector: Detects command injection attempts in HTTP headers
• Command Injection - Generic 9 - Body Vector: Detects command injection attempts in request bodies

These rules are currently in log-only mode, allowing you to monitor for potential attacks without blocking legitimate traffic.

Rule Consolidation

The PHP, vBulletin, and jQuery File Upload rule addressing CVE-2018-9206 and CVE-2019-17132 has been updated from log-only to block mode and consolidated into the original rule. This change strengthens protection against dangerous file upload vulnerabilities in popular web applications.

Action Required

Review your WAF rules and logs to understand how these new detections may impact your traffic. The new command injection rules are in log-only mode by default, so consider adjusting them to block mode once you've validated they don't impact legitimate requests.