|
| 1 | +--- |
| 2 | +title: "WAF Release - 2025-10-06" |
| 3 | +description: Cloudflare WAF managed rulesets 2025-10-06 release |
| 4 | +date: 2025-10-06 |
| 5 | +--- |
| 6 | + |
| 7 | +import { RuleID } from "~/components"; |
| 8 | + |
| 9 | +This week’s highlights prioritise an emergency Oracle E-Business Suite RCE rule deployed to block active, high-impact exploitation. Also addressed are high-severity Chaos Mesh controller command-injection flaws that enable unauthenticated in-cluster RCE and potential cluster compromise, plus a form-data multipart boundary issue that permits HTTP Parameter Pollution (HPP). Two new generic SQLi detections were added to catch inline-comment obfuscation and information disclosure techniques. |
| 10 | + |
| 11 | +**Key Findings** |
| 12 | + |
| 13 | +* New emergency rule released for Oracle E-Business Suite (CVE-2025-61882) addressing an actively exploited remote code execution vulnerability in core business application modules. Immediate mitigation deployed to protect enterprise workloads. |
| 14 | + |
| 15 | +* Chaos Mesh (CVE-2025-59358,CVE-2025-59359,CVE-2025-59360,CVE-2025-59361): A GraphQL debug endpoint on the Chaos Controller Manager is exposed without authentication; several controller mutations (`cleanTcs`, `killProcesses`, `cleanIptables`) are vulnerable to OS command injection. |
| 16 | + |
| 17 | +* Form-Data (CVE-2025-7783): Attackers who can observe `Math.random()` outputs and control request fields in form-data may exploit this flaw to perform HTTP parameter pollution, leading to request tampering or data manipulation. |
| 18 | + |
| 19 | +* Two new generic SQLi detections added to enhance baseline coverage against inline-comment obfuscation and information disclosure attempts. |
| 20 | + |
| 21 | +**Impact** |
| 22 | + |
| 23 | +* CVE-2025-61882 — Oracle E-Business Suite remote code execution (emergency detection): attacker-controlled input can yield full system compromise, data exfiltration, and operational outage; immediate blocking enforced. |
| 24 | + |
| 25 | +* CVE-2025-59358 / CVE-2025-59359 / CVE-2025-59360 / CVE-2025-59361 — Unauthenticated command-injection in Chaos Mesh controllers allowing remote code execution, cluster compromise, and service disruption (high availability risk). |
| 26 | + |
| 27 | +* CVE-2025-7783 — Predictable multipart boundaries in form-data enabling HTTP Parameter Pollution; results include request tampering, parameter overwrite, and downstream data integrity loss. |
| 28 | + |
| 29 | +<table style="width: 100%"> |
| 30 | + <thead> |
| 31 | + <tr> |
| 32 | + <th>Ruleset</th> |
| 33 | + <th>Rule ID</th> |
| 34 | + <th>Legacy Rule ID</th> |
| 35 | + <th>Description</th> |
| 36 | + <th>Previous Action</th> |
| 37 | + <th>New Action</th> |
| 38 | + <th>Comments</th> |
| 39 | + </tr> |
| 40 | + </thead> |
| 41 | + <tbody> |
| 42 | + <tr> |
| 43 | + <td>Cloudflare Managed Ruleset</td> |
| 44 | + <td> |
| 45 | + <RuleID id="0c9bf31ab6fa41fc8f12daaf8650f52f" /> |
| 46 | + </td> |
| 47 | + <td>100882</td> |
| 48 | + <td>Chaos Mesh - Missing Authentication - CVE:CVE-2025-59358</td> |
| 49 | + <td>Log</td> |
| 50 | + <td>Disabled</td> |
| 51 | + <td>This is a New Detection</td> |
| 52 | + </tr> |
| 53 | + <tr> |
| 54 | + <td>Cloudflare Managed Ruleset</td> |
| 55 | + <td> |
| 56 | + <RuleID id="5d459ed434ed446c9580c73c2b8c3680" /> |
| 57 | + </td> |
| 58 | + <td>100883</td> |
| 59 | + <td>Chaos Mesh - Command Injection - CVE:CVE-2025-59359</td> |
| 60 | + <td>Log</td> |
| 61 | + <td>Block</td> |
| 62 | + <td>This is a New Detection</td> |
| 63 | + </tr> |
| 64 | + <tr> |
| 65 | + <td>Cloudflare Managed Ruleset</td> |
| 66 | + <td> |
| 67 | + <RuleID id="a2591ba5befa4815a6861aefef859a04" /> |
| 68 | + </td> |
| 69 | + <td>100884</td> |
| 70 | + <td>Chaos Mesh - Command Injection - CVE:CVE-2025-59361</td> |
| 71 | + <td>Log</td> |
| 72 | + <td>Block</td> |
| 73 | + <td>This is a New Detection</td> |
| 74 | + </tr> |
| 75 | + <tr> |
| 76 | + <td>Cloudflare Managed Ruleset</td> |
| 77 | + <td> |
| 78 | + <RuleID id="05eea4fabf6f4cf3aac1094b961f26a7" /> |
| 79 | + </td> |
| 80 | + <td>100886</td> |
| 81 | + <td>Form-Data - Parameter Pollution - CVE:CVE-2025-7783</td> |
| 82 | + <td>Log</td> |
| 83 | + <td>Block</td> |
| 84 | + <td>This is a New Detection</td> |
| 85 | + </tr> |
| 86 | + <tr> |
| 87 | + <td>Cloudflare Managed Ruleset</td> |
| 88 | + <td> |
| 89 | + <RuleID id="90514c7810694b188f56979826a4074c" /> |
| 90 | + </td> |
| 91 | + <td>100888</td> |
| 92 | + <td>Chaos Mesh - Command Injection - CVE:CVE-2025-59360</td> |
| 93 | + <td>Log</td> |
| 94 | + <td>Block</td> |
| 95 | + <td>This is a New Detection</td> |
| 96 | + </tr> |
| 97 | + <tr> |
| 98 | + <td>Cloudflare Managed Ruleset</td> |
| 99 | + <td> |
| 100 | + <RuleID id="42fbc8c09ec84578b9633ffc31101b2f" /> |
| 101 | + </td> |
| 102 | + <td>100916</td> |
| 103 | + <td>Oracle E-Business Suite - Remote Code Execution - CVE:CVE-2025-61882</td> |
| 104 | + <td>N/A</td> |
| 105 | + <td>Block</td> |
| 106 | + <td>This is a New Detection</td> |
| 107 | + </tr> |
| 108 | + <tr> |
| 109 | + <td>Cloudflare Managed Ruleset</td> |
| 110 | + <td> |
| 111 | + <RuleID id="badc687a3ba3420a844220b129aa43c3" /> |
| 112 | + </td> |
| 113 | + <td>100917</td> |
| 114 | + <td>Generic Rules - SQLi - Inline Comment Injection</td> |
| 115 | + <td>N/A</td> |
| 116 | + <td>Disabled</td> |
| 117 | + <td>This is a New Detection</td> |
| 118 | + </tr> |
| 119 | + <tr> |
| 120 | + <td>Cloudflare Managed Ruleset</td> |
| 121 | + <td> |
| 122 | + <RuleID id="28fa27511f29428899ceb5a273c10b6f" /> |
| 123 | + </td> |
| 124 | + <td>100918</td> |
| 125 | + <td>Generic Rules - SQLi - Information Disclosure</td> |
| 126 | + <td>N/A</td> |
| 127 | + <td>Disabled</td> |
| 128 | + <td>This is a New Detection</td> |
| 129 | + </tr> |
| 130 | + </tbody> |
| 131 | +</table> |
0 commit comments