====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN292
_____________________________________________________________________

DATE                : 28/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Wicket versions prior to
                              9.3.0, 8.12.0, 7.18.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/wicket-users/202105.mbox/%3cCAGXsc+Y+VGwzzDa1etrpTFHUPNXYRFmifE8TL_ZRzaExQGU=PA@mail.gmail.com%3e
_____________________________________________________________________

CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack


Description:

A DNS proxy and possible amplification attack vulnerability in
WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
DNS lookups from the server when the X-Forwarded-For header is not
properly sanitized. This DNS lookup can be engineered to overload an
internal DNS server or to slow down request processing of the Apache
Wicket application causing a possible denial of service on either the
internal infrastructure or the web application itself.

This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
6.x version 6.2.0 and later versions.

Mitigation:

Sanitize the X-Forwarded-For header by running an Apache Wicket
application behind a reverse HTTP proxy. This proxy should put the
client IP address in the X-Forwarded-For header and not pass through
the contents of the header as received by the client.

The application developers are recommended to upgrade to:
- Apache Wicket 7.18.0
<https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
- Apache Wicket 8.12.0
<https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
- Apache Wicket 9.0.0
<https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>

Credit:

Apache Wicket would like to thank Jonathan Juursema from
Topicus.Healthcare for reporting this issue.

Apache Wicket Team

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================