Hi,

Please use users@ or dev@. There is nothing to announce@

On Wed, May 26, 2021 at 5:36 PM Mihir Chhaya <mihir.chh...@gmail.com> wrote:

> Thank you for sharing this information.
>
> Questions:
> 1. Will there be any upgrades from Wicket-CDI, Wicket-bootstrap etc.
> libraries related to this Vulnerability?
>

wicket-cdi is part of Apache Wicket releases, so there is nothing more to
do.
wicket-bootstrap could be used with any version of Wicket, as long it is
binary compatible, i.e. same major version.


> 2. If yes, then should I wait for those libraries or go ahead and put the
> core Apache Wicket libraries first and then upgrade other libraries when
> available?
>

Just update wicket-core to a version with the fix.


>
> Thank you,
> -Mihir.
>
> On Tue, May 25, 2021 at 3:51 AM Emond Papegaaij <emond.papega...@gmail.com
> >
> wrote:
>
> > Description:
> >
> > A DNS proxy and possible amplification attack vulnerability in
> > WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> > DNS lookups from the server when the X-Forwarded-For header is not
> > properly sanitized. This DNS lookup can be engineered to overload an
> > internal DNS server or to slow down request processing of the Apache
> > Wicket application causing a possible denial of service on either the
> > internal infrastructure or the web application itself.
> >
> > This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> > prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> > Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> > 6.x version 6.2.0 and later versions.
> >
> > Mitigation:
> >
> > Sanitize the X-Forwarded-For header by running an Apache Wicket
> > application behind a reverse HTTP proxy. This proxy should put the
> > client IP address in the X-Forwarded-For header and not pass through
> > the contents of the header as received by the client.
> >
> > The application developers are recommended to upgrade to:
> > - Apache Wicket 7.18.0
> > <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
> > - Apache Wicket 8.12.0
> > <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
> > - Apache Wicket 9.0.0
> > <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
> >
> > Credit:
> >
> > Apache Wicket would like to thank Jonathan Juursema from
> > Topicus.Healthcare for reporting this issue.
> >
> > Apache Wicket Team
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: announce-unsubscr...@wicket.apache.org
> > For additional commands, e-mail: announce-h...@wicket.apache.org
> >
> >
>

Reply via email to