Thank you for the notice, and the already fixed releases =) Is there a JIRA or associated PR with the fix? I’m not seeing a specific fix in the changelogs for 9.3.0 and 8.12.0.
Thanks, Matt Pavlovich > On May 25, 2021, at 2:51 AM, Emond Papegaaij <emond.papega...@gmail.com> > wrote: > > Description: > > A DNS proxy and possible amplification attack vulnerability in > WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary > DNS lookups from the server when the X-Forwarded-For header is not > properly sanitized. This DNS lookup can be engineered to overload an > internal DNS server or to slow down request processing of the Apache > Wicket application causing a possible denial of service on either the > internal infrastructure or the web application itself. > > This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and > prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; > Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket > 6.x version 6.2.0 and later versions. > > Mitigation: > > Sanitize the X-Forwarded-For header by running an Apache Wicket > application behind a reverse HTTP proxy. This proxy should put the > client IP address in the X-Forwarded-For header and not pass through > the contents of the header as received by the client. > > The application developers are recommended to upgrade to: > - Apache Wicket 7.18.0 > <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html> > - Apache Wicket 8.12.0 > <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html> > - Apache Wicket 9.0.0 > <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html> > > Credit: > > Apache Wicket would like to thank Jonathan Juursema from > Topicus.Healthcare for reporting this issue. > > Apache Wicket Team > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org >
