Thank you for the reply.
We have something like below in our code. Will this be enough or still we
need to replace the jar file?
public static String getRemoteAddr(HttpServletRequest request) {
//If routed behind the Load Balancer, network guys put the original IP in
the header as XForwarded-For
String remoteAddr = request.getHeader("X-Forwarded-For");
if (StrUtils.isBlank(remoteAddr)) {
remoteAddr= request.getHeader("x-forwarded-for");
}
if (StrUtils.isBlank(remoteAddr)) {
remoteAddr=request.getRemoteAddr();
}
return remoteAddr;
}
On Wed, May 26, 2021 at 11:05 AM Matt Pavlovich <mattr...@gmail.com> wrote:
> Thank you for the notice, and the already fixed releases =)
>
> Is there a JIRA or associated PR with the fix? I’m not seeing a specific
> fix in the changelogs for 9.3.0 and 8.12.0.
>
> Thanks,
> Matt Pavlovich
>
> > On May 25, 2021, at 2:51 AM, Emond Papegaaij <emond.papega...@gmail.com>
> wrote:
> >
> > Description:
> >
> > A DNS proxy and possible amplification attack vulnerability in
> > WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> > DNS lookups from the server when the X-Forwarded-For header is not
> > properly sanitized. This DNS lookup can be engineered to overload an
> > internal DNS server or to slow down request processing of the Apache
> > Wicket application causing a possible denial of service on either the
> > internal infrastructure or the web application itself.
> >
> > This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> > prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> > Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> > 6.x version 6.2.0 and later versions.
> >
> > Mitigation:
> >
> > Sanitize the X-Forwarded-For header by running an Apache Wicket
> > application behind a reverse HTTP proxy. This proxy should put the
> > client IP address in the X-Forwarded-For header and not pass through
> > the contents of the header as received by the client.
> >
> > The application developers are recommended to upgrade to:
> > - Apache Wicket 7.18.0
> > <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
> > - Apache Wicket 8.12.0
> > <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
> > - Apache Wicket 9.0.0
> > <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
> >
> > Credit:
> >
> > Apache Wicket would like to thank Jonathan Juursema from
> > Topicus.Healthcare for reporting this issue.
> >
> > Apache Wicket Team
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > For additional commands, e-mail: users-h...@wicket.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>
