SwitHak

Security Advisories / Bulletins / vendors Responses linked to Log4Shell (CVE-2021-44228)

Errors, typos, something to say ?

• If you want to add a link, comment or send it to me
• Feel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak

Other great resources

• Royce Williams list sorted by vendors responses Royce List
• Very detailed list NCSC-NL
• The list maintained by U.S. Cybersecurity and Infrastructure Security Agency: CISA List

enricofoltran

package main

import (
	"context"
	"flag"
	"fmt"
	"log"
	"net/http"
	"os"
	"os/signal"

v0lkan

user web;

# One worker process per CPU core.
worker_processes 8;

# Also set
# /etc/security/limits.conf
#   web soft nofile 65535
#   web hard nofile 65535
# /etc/default/nginx

gionn

If you are getting something like the following, on a box without ipv6 connectivity:

/opt/rbenv/versions/1.9.3-p547/lib/ruby/gems/1.9.1/gems/excon-0.44.4/lib/excon/socket.rb:291:in `raise_timeout_error': read timeout reached (Excon::Errors::Timeout)
	from /opt/rbenv/versions/1.9.3-p547/lib/ruby/gems/1.9.1/gems/excon-0.44.4/lib/excon/socket.rb:49:in `rescue in readline'
	[...]
	from /opt/rbenv/versions/1.9.3-p547/lib/ruby/gems/1.9.1/gems/fog-core-1.29.0/lib/fog/core/connection.rb:81:in `request'
	from /opt/rbenv/versions/1.9.3-p547/lib/ruby/gems/1.9.1/gems/fog-1.28.0/lib/fog/rackspace/service.rb:42:in `request'
	from /opt/rbenv/versions/1.9.3-p547/lib/ruby/gems/1.9.1/gems/fog-1.28.0/lib/fog/rackspace/storage.rb:444:in `request'
	from /opt/rbenv/versions/1.9.3-p547/lib/ruby/gems/1.9.1/gems/fog-1.28.0/lib/fog/rackspace/requests/storage/put_object.rb:35:in `put_object'

jszmajda

# Multiple inheritance with Modules as an alternative to injected composition
# from Sandi Metz's talk [Nothing is Something](http://confreaks.tv/videos/bathruby2015-nothing-is-something)

# Like Sandi's 'direct' DI method this has behavior outside of the base class
# that gets composed together. However in this gist I compose modules in class
# definitions instead of injecting collaborators.

# Tradeoffs between this and Sandi's version are that in this case the API consumer doesn't
# have to know how to make a RandomEchoHouse (no `house = House.new(formatter: Whatever.new)`),
# but also the API consumer can't make anything not already accounted for either.

albertstill

Plugboard = Hash[*('A'..'Z').to_a.sample(20)]
Plugboard.merge!(Plugboard.invert)
Plugboard.default_proc = proc { |_, key| key }

def build_a_rotor
  Hash[('A'..'Z').zip(('A'..'Z').to_a.shuffle)]
end

ROTOR_1, ROTOR_2, ROTOR_3 = build_a_rotor, build_a_rotor, build_a_rotor

profh

# decode_session_cookie.rb
# ------------------------
# The purpose of this script is to show that if I have the secret_key_base
# and a cookie to an active Rails session, I can decrypt it and gain access
# to key information about the user's session.

require 'rubygems'
require 'cgi'
require 'active_support'

longlostnick

class Api::UploadsController < ApiController

  def create
    @upload = Upload.new(upload_params)
  ensure
    clean_tempfile
  end

  private

dhh

# config/routes.rb
resources :documents do
  scope module: 'documents' do
    resources :versions do
      post :restore, on: :member
    end

    resource :lock
  end
end

mattetti

# Hack to change the Rails cookie serializer from Marshal to JSON and therefore allow the session
# to be shared between different languages but also avoid that someone knowing the
# cookie secret key could execute arbitrary code on the server by unmarshalling
# modified Ruby code added to the session/permanent cookie.
#
# Note that all users will beed to login again since both the remember me cookie and the session cookies
# won't be valid. Note also that the remember me cookie is tested multiple times per request even when it fails.
# for performance reasons you might want to delete it if these extra cycles are too costly for you.
#
# Rails 4 (not tested on Rails 3).