Cloudflare published a blog post regarding a a zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) which was made public yesterday on December 9, that results in remote code execution (RCE).
Cloudflare says this vulnerability is actively being exploited and anyone using Log4j should update to version 2.15.0 as soon as possible. The latest version can already be found on the Log4j download page.
The company deployed three new WAF rules to help mitigate any exploit attempts, and they have now been configured with a default action of BLOCK.
More details on the vulnerability can be found on the official Log4j security page.