oss-sec mailing list archives
CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack
From: Emond Papegaaij <papegaaij () apache org>
Date: Tue, 25 May 2021 10:17:06 +0200
Description: A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions. Mitigation: Sanitize the X-Forwarded-For header by running an Apache Wicket application behind a reverse HTTP proxy. This proxy should put the client IP address in the X-Forwarded-For header and not pass through the contents of the header as received by the client. The application developers are recommended to upgrade to: - Apache Wicket 7.18.0 <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html> - Apache Wicket 8.12.0 <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html> - Apache Wicket 9.0.0 <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html> Credit: Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue. Apache Wicket Team
Current thread:
- CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack Emond Papegaaij (May 25)