MariaDB replication is not secured via TLS in IPv6-enabled clusters (CVE-2025-14758)

Summary

For IPv6 pods, we set --wsrep-provider-options explicitly as a command line argument in the infra-operator. Because of that, the wsrep_provider_options from the ConfigMap mounted at /opt/bitnami/mariadb/conf/my.cnf will not be applied.

Credits

This issue was found by @martinmo and @maximilian.brandt .

Detailed Description

As a result, defaults for the remainder of the options are used, most importantly, wsrep_provider_socket_ssl = OFF. This disables encryption for the replication traffic.

The infra-operator must be changed in such a way that the correct wsrep_provider_options is rendered into the ConfigMap, taking into account whether we have a IPv4 or IPv6 cluster.

Resolution

Untested patch: 0001-Move-IPv6-wsrep_provider_options-to-configmap.patch

Embargo

The timing is unfortunate regarding the holidays. We don't know how many users are running on IPv6-enabled clusters and how much of an impact the lack of TLS has on their security model (though issues like #226 suggest it should not have much of an impact).

Edited by Sebastian Riese