MariaDB replication is not secured via TLS in IPv6-enabled clusters (CVE-2025-14758)
Summary
For IPv6 pods, we set --wsrep-provider-options explicitly as a command line argument in the infra-operator. Because of that, the wsrep_provider_options from the ConfigMap mounted at /opt/bitnami/mariadb/conf/my.cnf will not be applied.
Credits
This issue was found by @martinmo and @maximilian.brandt .
Detailed Description
As a result, defaults for the remainder of the options are used, most importantly, wsrep_provider_socket_ssl = OFF. This disables encryption for the replication traffic.
The infra-operator must be changed in such a way that the correct wsrep_provider_options is rendered into the ConfigMap, taking into account whether we have a IPv4 or IPv6 cluster.
Resolution
Untested patch: 0001-Move-IPv6-wsrep_provider_options-to-configmap.patch
Embargo
The timing is unfortunate regarding the holidays. We don't know how many users are running on IPv6-enabled clusters and how much of an impact the lack of TLS has on their security model (though issues like #226 suggest it should not have much of an impact).