Jessica Lyons report:
Cloudflare has fixed a flaw in its web application firewall (WAF) that allowed attackers to bypass security rules and directly access origin servers, which could lead to data theft or full server takeover.
FearsOff security researchers reported the bug in October through Cloudflare’s bug bounty program, and the CDN says it has patched the vulnerability in its ACME (Automatic Certificate Management Environment) validation logic with no action required from its customers.
ACME is a protocol that certificate authorities and services like Cloudflare use to automate the issuance, renewal, and revocation of SSL/TLS certificates.
Read more at The Register.