This post is also available in 简体中文, 繁體中文, 日本語, 한국어. Update: all three WAF rules have now been configured with a default action of BLOCK. A zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE). This vulnerability is actively being exploited and anyone using Log4j should update to version 2.15.0
![CVE-2021-44228 - Log4j RCE 0-day mitigation](https://cdn-ak-scissors.b.st-hatena.com/image/square/2d3ff818722ed7c14b9129d182b0578953a0521f/height=288;version=1;width=512/http%3A%2F%2Fblog.cloudflare.com%2Fcontent%2Fimages%2F2021%2F12%2Fhttp---blog.cloudflare.com-content-images-2021-10-Helping-Apache-Servers-stay-safe-from-zero-day-path-traversal-attacks-header.png-OG-1.png)