[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack
From: Emond Papegaaij <papegaaij () apache ! org>
Date: 2021-05-25 8:17:06
Message-ID: CAGXsc+aitBM=VqO-TjvY2GjpdUsDiBtDrHS_24Tp7=ZVwi3hqg () mail ! gmail ! com
[Download RAW message or body]
Description:
A DNS proxy and possible amplification attack vulnerability in
WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
DNS lookups from the server when the X-Forwarded-For header is not
properly sanitized. This DNS lookup can be engineered to overload an
internal DNS server or to slow down request processing of the Apache
Wicket application causing a possible denial of service on either the
internal infrastructure or the web application itself.
This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
6.x version 6.2.0 and later versions.
Mitigation:
Sanitize the X-Forwarded-For header by running an Apache Wicket
application behind a reverse HTTP proxy. This proxy should put the
client IP address in the X-Forwarded-For header and not pass through
the contents of the header as received by the client.
The application developers are recommended to upgrade to:
- Apache Wicket 7.18.0
<https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
- Apache Wicket 8.12.0
<https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
- Apache Wicket 9.0.0
<https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
Credit:
Apache Wicket would like to thank Jonathan Juursema from
Topicus.Healthcare for reporting this issue.
Apache Wicket Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic