CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack

[Emond Papegaaij <papegaaij () apache org>]

Description:

A DNS proxy and possible amplification attack vulnerability in
WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
DNS lookups from the server when the X-Forwarded-For header is not
properly sanitized. This DNS lookup can be engineered to overload an
internal DNS server or to slow down request processing of the Apache
Wicket application causing a possible denial of service on either the
internal infrastructure or the web application itself.

This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
6.x version 6.2.0 and later versions.

Mitigation:

Sanitize the X-Forwarded-For header by running an Apache Wicket
application behind a reverse HTTP proxy. This proxy should put the
client IP address in the X-Forwarded-For header and not pass through
the contents of the header as received by the client.

The application developers are recommended to upgrade to:
- Apache Wicket 7.18.0
<https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
- Apache Wicket 8.12.0
<https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
- Apache Wicket 9.0.0
<https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>

Credit:

Apache Wicket would like to thank Jonathan Juursema from
Topicus.Healthcare for reporting this issue.

Apache Wicket Team