Summary of security issue raised
In the past few days, vulnerability researchers at Google discovered Cloudflare’s reverse proxies were dumping uninitialized memory into their outputs, opening up websites that use Cloudflare to data leaks. This data included cookies, passwords, encryption keys, and even user’s private data from large sites that use Cloudflare. This is similar to the Heartbleed incident a couple years ago, but this incident is Cloudflare specific (hence the term Cloudbleed). Cloudflare’s reverse proxy configurations are shared between their customers, so many of them could have been affected.
Why is section.io not affected?
In light of these events we wanted to share how section.io is built differently in order to avoid such widescale incidents. section.io applies true multi-tenancy based on the concept of process isolation by being built with Docker, a software development platform that runs on the principle of containers.
Each one of section.io’s customers runs its own processes and Docker containers that contain a reverse proxy stack specific to that customer. When customers sign up for a section.io account, they choose what technologies they want to run and a suite of Docker containers unique to them is created. Later, they are able to add additional reverse proxies to their own stack.
We run multi-tenancy systems which run each process in its own container because each container needs its own secure and virtual computing environment - this ensures incidents like Cloudbleed, which could impact many customers running the same reverse proxy configurations, do not ripple out beyond a customer’s environment.
What should you do?
Websites using Cloudflare may have been affected. If your website content is tranmitted through Cloudflare, you should read Cloudflare’s Incident report on memory leak caused by Cloudflare parser bug. Consideration should also be given to advising users of your website that a compromise may have occurred and, if you do not force password reset, your users should consider resetting their own passwords.
For more information on Cloudbleed: