{"id":5162,"date":"2025-12-12T15:41:41","date_gmt":"2025-12-12T14:41:41","guid":{"rendered":"https:\/\/yaook.cloud\/?page_id=5162"},"modified":"2025-12-17T15:07:36","modified_gmt":"2025-12-17T14:07:36","slug":"security-advisories-cve-2025-14758","status":"publish","type":"page","link":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2025-14758\/","title":{"rendered":"security-advisories\/cve-2025-14758"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"5162\" class=\"elementor elementor-5162\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ea1b144 e-flex e-con-boxed e-con e-parent\" data-id=\"ea1b144\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b9dbf39 elementor-widget elementor-widget-text-editor\" data-id=\"b9dbf39\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h1 id=\"yaook-security-advisory-for-cve-2022-47951\">YAOOK Security Advisory for CVE-2025-14758<\/h1><ul><li>Date: 2025-12-12<\/li><li>Affected versions: &gt;=0.20240809.0 &lt;0.20251211.0<\/li><li>Fixed versions: 0.20251211.0<\/li><li>Bug report: <a href=\"https:\/\/gitlab.com\/yaook\/operator\/-\/issues\/631\">https:\/\/gitlab.com\/yaook\/operator\/-\/issues\/631<\/a><\/li><li>Patch: <a href=\"https:\/\/gitlab.com\/-\/project\/21574229\/uploads\/6a4f06d3ae63f8ed4657825f864f9d59\/0001-Move-IPv6-wsrep_provider_options-to-configmap.patch\">https:\/\/gitlab.com\/-\/project\/21574229\/uploads\/6a4f06d3ae63f8ed4657825f864f9d59\/0001-Move-IPv6-wsrep_provider_options-to-configmap.patch<\/a><\/li><\/ul><h2>What is CVE-2025-14758 and how does it affect YAOOK?<\/h2><p>CVE-2025-14758 describes the issue that MariaDB replication traffic is sent<br \/>unencrypted between MariaDB instances managed by YAOOK&#8217;s infra-operator if the<br \/>cluster is IPv6-enabled.<\/p><p>In 2024, YAOOK gained official support for running inside IPv6-only and<br \/>dual-stack Kubernetes clusters. For this, various services had to be updated to<br \/>allow listening on IPv6 sockets in addition to (or instead of) IPv4 sockets.<\/p><p>For MariaDB, there exist three communication channels: The normal client\/server<br \/>traffic with MariaDB-compatible clients (such as the OpenStack APIs), the<br \/>incremental state transfer and online replication traffic (WSREP) and the SST<br \/>channel (used if, after a restart, the incremental state transfer is not<br \/>sufficient to bring a replica up-to-date).<\/p><p>The WSREP transfer channel is configured through a single MariaDB configuration<br \/>option called <code>wsrep-provider-options<\/code>. Before the addition of IPv6 support,<br \/>this option was set up by YAOOK exclusively through the MariaDB configuration<br \/>file. As value to that single option, one provides the path to the TLS<br \/>certificates and the listening address of the WSREP channel, formatted as string<br \/>into in a MariaDB-specific format.<\/p><p>When IPv6 support was implemented, the listening address of the WSREP socket had<br \/>to be changed to <code>[::]<\/code> in order to be able to accept connections from other<br \/>instances via IPv6. This was<br \/><a href=\"https:\/\/gitlab.com\/yaook\/operator\/-\/commit\/21ceaa1375bfd08d5706adfcd74f630f2cb12733?merge_request_iid=2531\">implemented by passing an additional <code>--wsrep-provider-options<\/code> command line argument to the MariaDB process<\/a>.<br \/>Unfortunately, that overrode the TLS-related options from the configuration<br \/>file, effectively disabling TLS for the WSREP channel whenever that code path<br \/>is hit.<\/p><h2>Is my cluster vulnerable?<\/h2><p>The affected code path is executed whenever the <code>status.podIP<\/code> field of the<br \/>MariaDB pod is an IPv6 address. This is the case in IPv6-only clusters and may<br \/>be the case in dual-stack clusters.<\/p><p>If that is the case, TLS encryption of the WSREP channel is disabled, which<br \/>causes almost all MariaDB contents to be transferred without encryption in<br \/>transit.<\/p><h2>Mitigating factors<\/h2><ul><li>This vulnerability only affects IPv6-only clusters.<\/li><li>The unencrypted traffic never leaves the Kubernetes service network, which<br \/>may or may not already be a trusted domain in your security model.<\/li><\/ul><h2>Upgrading<\/h2><p>A new stable release with version 0.20251211.0 has been published. Affected<br \/>clusters will face a downtime during upgrades, because TLS encryption on the<br \/>WSREP channel cannot be enabled online.<\/p><p>During the upgrade, the highest replica of all databases managed by the<br \/>infra-operator will enter a Error \/ CrashLoopBackOff state. At that point, you<br \/>have to execute the following steps for each separate database instance:<\/p><ol><li><code>yaookctl pause mysqlservices $name<\/code><\/li><li><code>kubectl -n yaook scale sts $name-db --replicas=0<\/code><\/li><li>Wait for the last database replica to terminate.<\/li><li>Optional: <code>kubectl -n yaook scale sts $name-db --replicas=$n<\/code>, where <code>$n<\/code> is<br \/>the number of replicas you usually have. This may be slightly faster than<br \/>waiting for the infra-operator to reset the replica count after the next<br \/>command.<\/li><li><code>yaookctl unpause mysqlservices $name<\/code><\/li><\/ol><p>During the time the last replica of a database is shut down, the database can,<br \/>obviously, not serve requests. This will cause HTTP 500 responses from affected<br \/>API services and may have downstream adverse effects on workloads (such as<br \/>Kubernetes Cinder CSI providers running inside the cluster).<\/p><h2>Credits<\/h2><p>This vulnerability was found by Martin Morgenstern and Maximilian Brandt,<br \/>CLOUD&amp;HEAT Technologies GmbH.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>YAOOK Security Advisory for CVE-2025-14758 Date: 2025-12-12 Affected versions: &gt;=0.20240809.0 &lt;0.20251211.0 Fixed versions: 0.20251211.0 Bug report: https:\/\/gitlab.com\/yaook\/operator\/-\/issues\/631 Patch: https:\/\/gitlab.com\/-\/project\/21574229\/uploads\/6a4f06d3ae63f8ed4657825f864f9d59\/0001-Move-IPv6-wsrep_provider_options-to-configmap.patch What is CVE-2025-14758 and how does it affect YAOOK? CVE-2025-14758 describes the issue that MariaDB replication traffic is sentunencrypted between MariaDB instances managed by YAOOK&#8217;s infra-operator if thecluster is IPv6-enabled. In 2024, YAOOK gained official support [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-5162","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>security-advisories\/cve-2025-14758 &#187; Yaook<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/yaook.cloud\/en\/security-advisories-cve-2025-14758\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"security-advisories\/cve-2025-14758 &#187; Yaook\" \/>\n<meta property=\"og:description\" content=\"YAOOK Security Advisory for CVE-2025-14758 Date: 2025-12-12 Affected versions: &gt;=0.20240809.0 &lt;0.20251211.0 Fixed versions: 0.20251211.0 Bug report: https:\/\/gitlab.com\/yaook\/operator\/-\/issues\/631 Patch: https:\/\/gitlab.com\/-\/project\/21574229\/uploads\/6a4f06d3ae63f8ed4657825f864f9d59\/0001-Move-IPv6-wsrep_provider_options-to-configmap.patch What is CVE-2025-14758 and how does it affect YAOOK? CVE-2025-14758 describes the issue that MariaDB replication traffic is sentunencrypted between MariaDB instances managed by YAOOK&#8217;s infra-operator if thecluster is IPv6-enabled. In 2024, YAOOK gained official support [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/yaook.cloud\/en\/security-advisories-cve-2025-14758\/\" \/>\n<meta property=\"og:site_name\" content=\"Yaook\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-17T14:07:36+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2025-14758\\\/\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2025-14758\\\/\",\"name\":\"security-advisories\\\/cve-2025-14758 &#187; Yaook\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\"},\"datePublished\":\"2025-12-12T14:41:41+00:00\",\"dateModified\":\"2025-12-17T14:07:36+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2025-14758\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2025-14758\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/security-advisories-cve-2025-14758\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/yaook.cloud\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"security-advisories\\\/cve-2025-14758\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#website\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"name\":\"Yaook\",\"description\":\"The Lifecycle Management Tool for OpenStack\",\"publisher\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/yaook.cloud\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#organization\",\"name\":\"ALASCA e.V.\",\"alternateName\":\"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.\",\"url\":\"https:\\\/\\\/yaook.cloud\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"contentUrl\":\"https:\\\/\\\/alasca.cloud\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/favicon.png\",\"width\":512,\"height\":512,\"caption\":\"ALASCA e.V.\"},\"image\":{\"@id\":\"https:\\\/\\\/yaook.cloud\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"security-advisories\/cve-2025-14758 \u00bb Yaook","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2025-14758\/","og_locale":"en_GB","og_type":"article","og_title":"security-advisories\/cve-2025-14758 &#187; Yaook","og_description":"YAOOK Security Advisory for CVE-2025-14758 Date: 2025-12-12 Affected versions: &gt;=0.20240809.0 &lt;0.20251211.0 Fixed versions: 0.20251211.0 Bug report: https:\/\/gitlab.com\/yaook\/operator\/-\/issues\/631 Patch: https:\/\/gitlab.com\/-\/project\/21574229\/uploads\/6a4f06d3ae63f8ed4657825f864f9d59\/0001-Move-IPv6-wsrep_provider_options-to-configmap.patch What is CVE-2025-14758 and how does it affect YAOOK? CVE-2025-14758 describes the issue that MariaDB replication traffic is sentunencrypted between MariaDB instances managed by YAOOK&#8217;s infra-operator if thecluster is IPv6-enabled. In 2024, YAOOK gained official support [&hellip;]","og_url":"https:\/\/yaook.cloud\/en\/security-advisories-cve-2025-14758\/","og_site_name":"Yaook","article_modified_time":"2025-12-17T14:07:36+00:00","twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/yaook.cloud\/security-advisories-cve-2025-14758\/","url":"https:\/\/yaook.cloud\/security-advisories-cve-2025-14758\/","name":"security-advisories\/cve-2025-14758 \u00bb Yaook","isPartOf":{"@id":"https:\/\/yaook.cloud\/#website"},"datePublished":"2025-12-12T14:41:41+00:00","dateModified":"2025-12-17T14:07:36+00:00","breadcrumb":{"@id":"https:\/\/yaook.cloud\/security-advisories-cve-2025-14758\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/yaook.cloud\/security-advisories-cve-2025-14758\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/yaook.cloud\/security-advisories-cve-2025-14758\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/yaook.cloud\/"},{"@type":"ListItem","position":2,"name":"security-advisories\/cve-2025-14758"}]},{"@type":"WebSite","@id":"https:\/\/yaook.cloud\/#website","url":"https:\/\/yaook.cloud\/","name":"Yaook","description":"The Lifecycle Management Tool for OpenStack","publisher":{"@id":"https:\/\/yaook.cloud\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/yaook.cloud\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/yaook.cloud\/#organization","name":"ALASCA e.V.","alternateName":"Alasca - Verband f\u00fcr betriebsf\u00e4hige, offene Cloud-Infrastrukturen e.V.","url":"https:\/\/yaook.cloud\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/","url":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","contentUrl":"https:\/\/alasca.cloud\/wp-content\/uploads\/2022\/08\/favicon.png","width":512,"height":512,"caption":"ALASCA e.V."},"image":{"@id":"https:\/\/yaook.cloud\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/comments?post=5162"}],"version-history":[{"count":24,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5162\/revisions"}],"predecessor-version":[{"id":5206,"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/pages\/5162\/revisions\/5206"}],"wp:attachment":[{"href":"https:\/\/yaook.cloud\/en\/wp-json\/wp\/v2\/media?parent=5162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}