Description: A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself.
This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions. Mitigation: Sanitize the X-Forwarded-For header by running an Apache Wicket application behind a reverse HTTP proxy. This proxy should put the client IP address in the X-Forwarded-For header and not pass through the contents of the header as received by the client. The application developers are recommended to upgrade to: - Apache Wicket 7.18.0 <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html> - Apache Wicket 8.12.0 <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html> - Apache Wicket 9.0.0 <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html> Credit: Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue. Apache Wicket Team