Executive Summary

This vulnerability in the MariaDB component of the YAOOK Operator infra-operator involves incorrect configuration of replication security, specifically for IPv6-enabled clusters. The infra-operator sets the replication provider options via command line arguments in a way that overrides the intended configuration from the ConfigMap, resulting in TLS encryption being disabled for replication traffic. This means replication data, including potentially sensitive database contents, is transmitted unencrypted and can be intercepted by an on-path attacker. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an on-path attacker to read the contents of the database replication traffic, potentially exposing sensitive information such as credentials. Since the replication traffic is not encrypted due to disabled TLS, attackers can intercept and access confidential data during replication between MariaDB nodes in IPv6-enabled clusters. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the MariaDB replication traffic is encrypted with TLS. Specifically, verify if the `wsrep_provider_socket_ssl` option is set to OFF, which disables encryption for replication traffic. You can inspect the MariaDB configuration by examining the ConfigMap at `/opt/bitnami/mariadb/conf/my.cnf` and checking the effective `wsrep_provider_options`. Additionally, check the command line arguments of the infra-operator pods to see if `--wsrep-provider-options` is set, which may override the ConfigMap settings. Commands to help detect this include: 1) `kubectl get pods -n <namespace> -o yaml | grep wsrep-provider-options` to find if the argument is set; 2) `kubectl exec -it <mariadb-pod> -- cat /opt/bitnami/mariadb/conf/my.cnf | grep wsrep_provider_socket_ssl` to check the config file; 3) Network traffic capture tools (e.g., tcpdump) to verify if replication traffic is unencrypted over IPv6. [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, modify the infra-operator deployment to ensure that the `wsrep_provider_options` are correctly rendered into the ConfigMap rather than being overridden by command line arguments. This includes applying logic to differentiate between IPv4 and IPv6 clusters so that TLS encryption is enabled for replication traffic. If possible, apply the proposed patch `0001-Move-IPv6-wsrep_provider_options-to-configmap.patch` to fix the issue. Until a fix is applied, avoid using IPv6-enabled clusters for MariaDB replication or monitor and restrict network access to replication traffic to prevent on-path attackers from intercepting data. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an on-path attacker to read database contents, potentially including credentials, due to lack of TLS encryption in MariaDB replication traffic. This exposure of sensitive data could lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive information during transmission. However, the exact impact on compliance depends on the deployment environment and whether IPv6-enabled clusters are used without the recommended fixes. [1]

Useful 0 Not Useful 0