You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by Emond Papegaaij <em...@gmail.com> on 2021/05/25 07:51:00 UTC
CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack
Description:
A DNS proxy and possible amplification attack vulnerability in
WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
DNS lookups from the server when the X-Forwarded-For header is not
properly sanitized. This DNS lookup can be engineered to overload an
internal DNS server or to slow down request processing of the Apache
Wicket application causing a possible denial of service on either the
internal infrastructure or the web application itself.
This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
6.x version 6.2.0 and later versions.
Mitigation:
Sanitize the X-Forwarded-For header by running an Apache Wicket
application behind a reverse HTTP proxy. This proxy should put the
client IP address in the X-Forwarded-For header and not pass through
the contents of the header as received by the client.
The application developers are recommended to upgrade to:
- Apache Wicket 7.18.0
<https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
- Apache Wicket 8.12.0
<https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
- Apache Wicket 9.0.0
<https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
Credit:
Apache Wicket would like to thank Jonathan Juursema from
Topicus.Healthcare for reporting this issue.
Apache Wicket Team
Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible
amplification attack
Posted by Martin Grigorov <mg...@apache.org>.
On Wed, May 26, 2021, 18:37 Mihir Chhaya <mi...@gmail.com> wrote:
> Thank you for the reply.
>
> We have something like below in our code. Will this be enough or still we
> need to replace the jar file?
>
The CVE is about usage of Wicket APIs.
Anything you do in your app code is your responsibility to make sure is
secure.
> public static String getRemoteAddr(HttpServletRequest request) {
>
>
> //If routed behind the Load Balancer, network guys put the original IP in
> the header as XForwarded-For
>
> String remoteAddr = request.getHeader("X-Forwarded-For");
>
> if (StrUtils.isBlank(remoteAddr)) {
>
> remoteAddr= request.getHeader("x-forwarded-for");
>
> }
>
> if (StrUtils.isBlank(remoteAddr)) {
>
> remoteAddr=request.getRemoteAddr();
>
> }
>
> return remoteAddr;
>
> }
>
>
> On Wed, May 26, 2021 at 11:05 AM Matt Pavlovich <ma...@gmail.com>
> wrote:
>
> > Thank you for the notice, and the already fixed releases =)
> >
> > Is there a JIRA or associated PR with the fix? I’m not seeing a specific
> > fix in the changelogs for 9.3.0 and 8.12.0.
> >
> > Thanks,
> > Matt Pavlovich
> >
> > > On May 25, 2021, at 2:51 AM, Emond Papegaaij <
> emond.papegaaij@gmail.com>
> > wrote:
> > >
> > > Description:
> > >
> > > A DNS proxy and possible amplification attack vulnerability in
> > > WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> > > DNS lookups from the server when the X-Forwarded-For header is not
> > > properly sanitized. This DNS lookup can be engineered to overload an
> > > internal DNS server or to slow down request processing of the Apache
> > > Wicket application causing a possible denial of service on either the
> > > internal infrastructure or the web application itself.
> > >
> > > This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> > > prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> > > Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> > > 6.x version 6.2.0 and later versions.
> > >
> > > Mitigation:
> > >
> > > Sanitize the X-Forwarded-For header by running an Apache Wicket
> > > application behind a reverse HTTP proxy. This proxy should put the
> > > client IP address in the X-Forwarded-For header and not pass through
> > > the contents of the header as received by the client.
> > >
> > > The application developers are recommended to upgrade to:
> > > - Apache Wicket 7.18.0
> > > <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html
> >
> > > - Apache Wicket 8.12.0
> > > <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html
> >
> > > - Apache Wicket 9.0.0
> > > <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
> > >
> > > Credit:
> > >
> > > Apache Wicket would like to thank Jonathan Juursema from
> > > Topicus.Healthcare for reporting this issue.
> > >
> > > Apache Wicket Team
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > > For additional commands, e-mail: users-help@wicket.apache.org
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
>
Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible
amplification attack
Posted by Mihir Chhaya <mi...@gmail.com>.
Thank you for the reply.
We have something like below in our code. Will this be enough or still we
need to replace the jar file?
public static String getRemoteAddr(HttpServletRequest request) {
//If routed behind the Load Balancer, network guys put the original IP in
the header as XForwarded-For
String remoteAddr = request.getHeader("X-Forwarded-For");
if (StrUtils.isBlank(remoteAddr)) {
remoteAddr= request.getHeader("x-forwarded-for");
}
if (StrUtils.isBlank(remoteAddr)) {
remoteAddr=request.getRemoteAddr();
}
return remoteAddr;
}
On Wed, May 26, 2021 at 11:05 AM Matt Pavlovich <ma...@gmail.com> wrote:
> Thank you for the notice, and the already fixed releases =)
>
> Is there a JIRA or associated PR with the fix? I’m not seeing a specific
> fix in the changelogs for 9.3.0 and 8.12.0.
>
> Thanks,
> Matt Pavlovich
>
> > On May 25, 2021, at 2:51 AM, Emond Papegaaij <em...@gmail.com>
> wrote:
> >
> > Description:
> >
> > A DNS proxy and possible amplification attack vulnerability in
> > WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> > DNS lookups from the server when the X-Forwarded-For header is not
> > properly sanitized. This DNS lookup can be engineered to overload an
> > internal DNS server or to slow down request processing of the Apache
> > Wicket application causing a possible denial of service on either the
> > internal infrastructure or the web application itself.
> >
> > This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> > prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> > Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> > 6.x version 6.2.0 and later versions.
> >
> > Mitigation:
> >
> > Sanitize the X-Forwarded-For header by running an Apache Wicket
> > application behind a reverse HTTP proxy. This proxy should put the
> > client IP address in the X-Forwarded-For header and not pass through
> > the contents of the header as received by the client.
> >
> > The application developers are recommended to upgrade to:
> > - Apache Wicket 7.18.0
> > <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
> > - Apache Wicket 8.12.0
> > <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
> > - Apache Wicket 9.0.0
> > <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
> >
> > Credit:
> >
> > Apache Wicket would like to thank Jonathan Juursema from
> > Topicus.Healthcare for reporting this issue.
> >
> > Apache Wicket Team
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible
amplification attack
Posted by Matt Pavlovich <ma...@gmail.com>.
Thank you for the notice, and the already fixed releases =)
Is there a JIRA or associated PR with the fix? I’m not seeing a specific fix in the changelogs for 9.3.0 and 8.12.0.
Thanks,
Matt Pavlovich
> On May 25, 2021, at 2:51 AM, Emond Papegaaij <em...@gmail.com> wrote:
>
> Description:
>
> A DNS proxy and possible amplification attack vulnerability in
> WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> DNS lookups from the server when the X-Forwarded-For header is not
> properly sanitized. This DNS lookup can be engineered to overload an
> internal DNS server or to slow down request processing of the Apache
> Wicket application causing a possible denial of service on either the
> internal infrastructure or the web application itself.
>
> This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> 6.x version 6.2.0 and later versions.
>
> Mitigation:
>
> Sanitize the X-Forwarded-For header by running an Apache Wicket
> application behind a reverse HTTP proxy. This proxy should put the
> client IP address in the X-Forwarded-For header and not pass through
> the contents of the header as received by the client.
>
> The application developers are recommended to upgrade to:
> - Apache Wicket 7.18.0
> <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
> - Apache Wicket 8.12.0
> <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
> - Apache Wicket 9.0.0
> <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
>
> Credit:
>
> Apache Wicket would like to thank Jonathan Juursema from
> Topicus.Healthcare for reporting this issue.
>
> Apache Wicket Team
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible
amplification attack
Posted by Matt Pavlovich <ma...@gmail.com>.
Thank you for the notice, and the already fixed releases =)
Is there a JIRA or associated PR with the fix? I’m not seeing a specific fix in the changelogs for 9.3.0 and 8.12.0.
Thanks,
Matt Pavlovich
> On May 25, 2021, at 2:51 AM, Emond Papegaaij <em...@gmail.com> wrote:
>
> Description:
>
> A DNS proxy and possible amplification attack vulnerability in
> WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> DNS lookups from the server when the X-Forwarded-For header is not
> properly sanitized. This DNS lookup can be engineered to overload an
> internal DNS server or to slow down request processing of the Apache
> Wicket application causing a possible denial of service on either the
> internal infrastructure or the web application itself.
>
> This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> 6.x version 6.2.0 and later versions.
>
> Mitigation:
>
> Sanitize the X-Forwarded-For header by running an Apache Wicket
> application behind a reverse HTTP proxy. This proxy should put the
> client IP address in the X-Forwarded-For header and not pass through
> the contents of the header as received by the client.
>
> The application developers are recommended to upgrade to:
> - Apache Wicket 7.18.0
> <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
> - Apache Wicket 8.12.0
> <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
> - Apache Wicket 9.0.0
> <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
>
> Credit:
>
> Apache Wicket would like to thank Jonathan Juursema from
> Topicus.Healthcare for reporting this issue.
>
> Apache Wicket Team
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible
amplification attack
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
Please use users@ or dev@. There is nothing to announce@
On Wed, May 26, 2021 at 5:36 PM Mihir Chhaya <mi...@gmail.com> wrote:
> Thank you for sharing this information.
>
> Questions:
> 1. Will there be any upgrades from Wicket-CDI, Wicket-bootstrap etc.
> libraries related to this Vulnerability?
>
wicket-cdi is part of Apache Wicket releases, so there is nothing more to
do.
wicket-bootstrap could be used with any version of Wicket, as long it is
binary compatible, i.e. same major version.
> 2. If yes, then should I wait for those libraries or go ahead and put the
> core Apache Wicket libraries first and then upgrade other libraries when
> available?
>
Just update wicket-core to a version with the fix.
>
> Thank you,
> -Mihir.
>
> On Tue, May 25, 2021 at 3:51 AM Emond Papegaaij <emond.papegaaij@gmail.com
> >
> wrote:
>
> > Description:
> >
> > A DNS proxy and possible amplification attack vulnerability in
> > WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> > DNS lookups from the server when the X-Forwarded-For header is not
> > properly sanitized. This DNS lookup can be engineered to overload an
> > internal DNS server or to slow down request processing of the Apache
> > Wicket application causing a possible denial of service on either the
> > internal infrastructure or the web application itself.
> >
> > This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> > prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> > Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> > 6.x version 6.2.0 and later versions.
> >
> > Mitigation:
> >
> > Sanitize the X-Forwarded-For header by running an Apache Wicket
> > application behind a reverse HTTP proxy. This proxy should put the
> > client IP address in the X-Forwarded-For header and not pass through
> > the contents of the header as received by the client.
> >
> > The application developers are recommended to upgrade to:
> > - Apache Wicket 7.18.0
> > <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
> > - Apache Wicket 8.12.0
> > <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
> > - Apache Wicket 9.0.0
> > <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
> >
> > Credit:
> >
> > Apache Wicket would like to thank Jonathan Juursema from
> > Topicus.Healthcare for reporting this issue.
> >
> > Apache Wicket Team
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: announce-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: announce-help@wicket.apache.org
> >
> >
>
Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible
amplification attack
Posted by Mihir Chhaya <mi...@gmail.com>.
Thank you for sharing this information.
Questions:
1. Will there be any upgrades from Wicket-CDI, Wicket-bootstrap etc.
libraries related to this Vulnerability?
2. If yes, then should I wait for those libraries or go ahead and put the
core Apache Wicket libraries first and then upgrade other libraries when
available?
Thank you,
-Mihir.
On Tue, May 25, 2021 at 3:51 AM Emond Papegaaij <em...@gmail.com>
wrote:
> Description:
>
> A DNS proxy and possible amplification attack vulnerability in
> WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> DNS lookups from the server when the X-Forwarded-For header is not
> properly sanitized. This DNS lookup can be engineered to overload an
> internal DNS server or to slow down request processing of the Apache
> Wicket application causing a possible denial of service on either the
> internal infrastructure or the web application itself.
>
> This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> 6.x version 6.2.0 and later versions.
>
> Mitigation:
>
> Sanitize the X-Forwarded-For header by running an Apache Wicket
> application behind a reverse HTTP proxy. This proxy should put the
> client IP address in the X-Forwarded-For header and not pass through
> the contents of the header as received by the client.
>
> The application developers are recommended to upgrade to:
> - Apache Wicket 7.18.0
> <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
> - Apache Wicket 8.12.0
> <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
> - Apache Wicket 9.0.0
> <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
>
> Credit:
>
> Apache Wicket would like to thank Jonathan Juursema from
> Topicus.Healthcare for reporting this issue.
>
> Apache Wicket Team
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: announce-unsubscribe@wicket.apache.org
> For additional commands, e-mail: announce-help@wicket.apache.org
>
>
Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible
amplification attack
Posted by Matt Pavlovich <ma...@gmail.com>.
Thank you for the notice, and the already fixed releases =)
Is there a JIRA or associated PR with the fix? I’m not seeing a specific fix in the changelogs for 9.3.0 and 8.12.0.
Thanks,
Matt Pavlovich
> On May 25, 2021, at 2:51 AM, Emond Papegaaij <em...@gmail.com> wrote:
>
> Description:
>
> A DNS proxy and possible amplification attack vulnerability in
> WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> DNS lookups from the server when the X-Forwarded-For header is not
> properly sanitized. This DNS lookup can be engineered to overload an
> internal DNS server or to slow down request processing of the Apache
> Wicket application causing a possible denial of service on either the
> internal infrastructure or the web application itself.
>
> This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> 6.x version 6.2.0 and later versions.
>
> Mitigation:
>
> Sanitize the X-Forwarded-For header by running an Apache Wicket
> application behind a reverse HTTP proxy. This proxy should put the
> client IP address in the X-Forwarded-For header and not pass through
> the contents of the header as received by the client.
>
> The application developers are recommended to upgrade to:
> - Apache Wicket 7.18.0
> <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
> - Apache Wicket 8.12.0
> <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
> - Apache Wicket 9.0.0
> <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
>
> Credit:
>
> Apache Wicket would like to thank Jonathan Juursema from
> Topicus.Healthcare for reporting this issue.
>
> Apache Wicket Team
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@wicket.apache.org
For additional commands, e-mail: announce-help@wicket.apache.org
Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible
amplification attack
Posted by Mihir Chhaya <mi...@gmail.com>.
Thank you for sharing this information.
Questions:
1. Will there be any upgrades from Wicket-CDI, Wicket-bootstrap etc.
libraries related to this Vulnerability?
2. If yes, then should I wait for those libraries or go ahead and put the
core Apache Wicket libraries first and then upgrade other libraries when
available?
Thank you,
-Mihir.
On Tue, May 25, 2021 at 3:51 AM Emond Papegaaij <em...@gmail.com>
wrote:
> Description:
>
> A DNS proxy and possible amplification attack vulnerability in
> WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary
> DNS lookups from the server when the X-Forwarded-For header is not
> properly sanitized. This DNS lookup can be engineered to overload an
> internal DNS server or to slow down request processing of the Apache
> Wicket application causing a possible denial of service on either the
> internal infrastructure or the web application itself.
>
> This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and
> prior versions; Apache Wicket 8.x version 8.11.0 and prior versions;
> Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket
> 6.x version 6.2.0 and later versions.
>
> Mitigation:
>
> Sanitize the X-Forwarded-For header by running an Apache Wicket
> application behind a reverse HTTP proxy. This proxy should put the
> client IP address in the X-Forwarded-For header and not pass through
> the contents of the header as received by the client.
>
> The application developers are recommended to upgrade to:
> - Apache Wicket 7.18.0
> <https://wicket.apache.org/news/2021/04/06/wicket-7.18.0-released.html>
> - Apache Wicket 8.12.0
> <https://wicket.apache.org/news/2021/03/31/wicket-8.12.0-released.html>
> - Apache Wicket 9.0.0
> <https://wicket.apache.org/news/2021/03/30/wicket-9.3.0-released.html>
>
> Credit:
>
> Apache Wicket would like to thank Jonathan Juursema from
> Topicus.Healthcare for reporting this issue.
>
> Apache Wicket Team
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: announce-unsubscribe@wicket.apache.org
> For additional commands, e-mail: announce-help@wicket.apache.org
>
>