Thank you for sharing this information. Questions: 1. Will there be any upgrades from Wicket-CDI, Wicket-bootstrap etc. libraries related to this Vulnerability? 2. If yes, then should I wait for those libraries or go ahead and put the core Apache Wicket libraries first and then upgrade other libraries when available?
Thank you, -Mihir. On Tue, May 25, 2021 at 3:51 AM Emond Papegaaij <emond.papega...@gmail.com> wrote: > Description: > > A DNS proxy and possible amplification attack vulnerability in > WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary > DNS lookups from the server when the X-Forwarded-For header is not > properly sanitized. This DNS lookup can be engineered to overload an > internal DNS server or to slow down request processing of the Apache > Wicket application causing a possible denial of service on either the > internal infrastructure or the web application itself. > > This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and > prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; > Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket > 6.x version 6.2.0 and later versions. > > Mitigation: > > Sanitize the X-Forwarded-For header by running an Apache Wicket > application behind a reverse HTTP proxy. This proxy should put the > client IP address in the X-Forwarded-For header and not pass through > the contents of the header as received by the client. > > The application developers are recommended to upgrade to: > - Apache Wicket 7.18.0 > <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html> > - Apache Wicket 8.12.0 > <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html> > - Apache Wicket 9.0.0 > <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html> > > Credit: > > Apache Wicket would like to thank Jonathan Juursema from > Topicus.Healthcare for reporting this issue. > > Apache Wicket Team > > --------------------------------------------------------------------- > To unsubscribe, e-mail: announce-unsubscr...@wicket.apache.org > For additional commands, e-mail: announce-h...@wicket.apache.org > >
