On Wed, May 26, 2021, 18:37 Mihir Chhaya <mihir.chh...@gmail.com> wrote:
> Thank you for the reply.
>
> We have something like below in our code. Will this be enough or still we
> need to replace the jar file?
>
The CVE is about usage of Wicket APIs.
Anything you do in your app code is your responsibility to make sure is
secure.
> public static String getRemoteAddr(HttpServletRequest request) {
>
>
> //If routed behind the Load Balancer, network guys put the original IP in
> the header as XForwarded-For
>
> String remoteAddr = request.getHeader("X-Forwarded-For");
>
> if (StrUtils.isBlank(remoteAddr)) {
>
> remoteAddr= request.getHeader("x-forwarded-for");
>
> }
>
> if (StrUtils.isBlank(remoteAddr)) {
>
> remoteAddr=request.getRemoteAddr();
>
> }
>
> return remoteAddr;
>
> }
>
>
> On Wed, May 26, 2021 at 11:05 AM Matt Pavlovich <mattr...@gmail.com>
> wrote:
>
> > Thank you for the notice, and the already fixed releases =)
> >
> > Is there a JIRA or associated PR with the fix? I’m not seeing a specific
> > fix in the changelogs for 9.3.0 and 8.12.0.
> >
> > Thanks,
> > Matt Pavlovich
> >
> > > On May 25, 2021, at 2:51 AM, Emond Papegaaij <
> emond.papega...@gmail.com>
> > wrote:
> > >
> > > Description:
> > >
> > > A DNS proxy and possible amplification attack vulnerability in
> > > WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> > > DNS lookups from the server when the X-Forwarded-For header is not
> > > properly sanitized. This DNS lookup can be engineered to overload an
> > > internal DNS server or to slow down request processing of the Apache
> > > Wicket application causing a possible denial of service on either the
> > > internal infrastructure or the web application itself.
> > >
> > > This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> > > prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> > > Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> > > 6.x version 6.2.0 and later versions.
> > >
> > > Mitigation:
> > >
> > > Sanitize the X-Forwarded-For header by running an Apache Wicket
> > > application behind a reverse HTTP proxy. This proxy should put the
> > > client IP address in the X-Forwarded-For header and not pass through
> > > the contents of the header as received by the client.
> > >
> > > The application developers are recommended to upgrade to:
> > > - Apache Wicket 7.18.0
> > > <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html
> >
> > > - Apache Wicket 8.12.0
> > > <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html
> >
> > > - Apache Wicket 9.0.0
> > > <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
> > >
> > > Credit:
> > >
> > > Apache Wicket would like to thank Jonathan Juursema from
> > > Topicus.Healthcare for reporting this issue.
> > >
> > > Apache Wicket Team
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > > For additional commands, e-mail: users-h...@wicket.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > For additional commands, e-mail: users-h...@wicket.apache.org
> >
> >
>
