Cloudflare Discovered a Vulnerability That Prevented Some Users With Revoked Certificates From Resuming a Session via Mutual TLS

Cloudflare discovered a bug where in limited circumstances, some users with revoked certificates may not have been blocked by Cloudflare Firewall settings. They looked at the logs and they didn't see anything from March 2021 when they shipped this feature that enabled this vulnerability up until December 2022. Even if the customer had configured Firewall's rules to do so, this bug has been mitigated and we have no evidence of this being exploited. We notified any customer that they may have been impacted in abundance of caution so they can check their own logs to determine if an MLTLS protected resource was accessed by entities holding a revoked certificate.