Emergency Security Maintenance Notification

Scheduled Maintenance Report for movingimage EVP GmbH

Completed

Dear movingimage EVP users,

Maintenance is now complete. The services listed below are now fully available.

Thank you for your patience during this maintenance period. If you have any questions, feel free to get in contact with us.

Your movingimage Team

Posted Mar 26, 2025 - 19:05 CET

Verifying

Dear movingimage EVP users,

Maintenance on this application is almost complete. A short period of verification will take place. Please take note of the status of the services listed below.

All other movingimage services will remain available.

Thank you for your understanding. If you have any questions, feel free to get in contact with us.

Your movingimage Team

Posted Mar 26, 2025 - 19:00 CET

In progress

Scheduled maintenance is currently in progress. We will provide updates as necessary.

Posted Mar 26, 2025 - 18:30 CET

Scheduled

Due to recently disclosed security vulnerabilities affecting Kubernetes ingress controllers, collectively referred to as “IngressNightmare,” we are conducting emergency maintenance today to upgrade the ingress controller of our production systems. This action is essential to ensure the continued protection of our systems and your data.

Details of the vulnerabilities addressed:

- CVE-2025-1097: Improper input validation in the auth-tls-match-cn Ingress annotation allows for arbitrary code execution and potential disclosure of secrets. Severity: High CVSS Score: 8.8
- CVE-2025-1098: Improper input validation in the mirror-target and mirror-host Ingress annotations permits arbitrary code execution and possible disclosure of secrets. Severity: High CVSS Score: 8.8
- CVE-2025-1974: Under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the ingress-nginx controller, leading to potential disclosure of secrets. Severity: Critical CVSS Score: 9.8
- CVE-2025-24513: Attacker-provided data included in filenames by the ingress-nginx Admission Controller feature can result in directory traversal within the container, leading to denial of service or limited disclosure of secret objects. Severity: Medium CVSS Score: 4.8
- CVE-2025-24514: The auth-url Ingress annotation can be exploited to inject configuration into nginx, enabling arbitrary code execution and potential disclosure of secrets. Severity: High CVSS Score: 8.8

During this maintenance period, you may experience intermittent disruptions across our services. We apologize for any inconvenience this may cause and appreciate your patience and understanding.

We will provide updates upon completion of this maintenance. Should you have any questions or concerns, please reach out to our support team.

References:

- Kubernetes Blog on CVE-2025-1974: https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
- Ingress-NGINX Controller Release Notes v1.12.1: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
- NVD Entry for CVE-2025-1097: https://nvd.nist.gov/vuln/detail/CVE-2025-1097
- NVD Entry for CVE-2025-1098: https://nvd.nist.gov/vuln/detail/CVE-2025-1098
- NVD Entry for CVE-2025-1974: https://nvd.nist.gov/vuln/detail/CVE-2025-1974
- NVD Entry for CVE-2025-24513: https://nvd.nist.gov/vuln/detail/CVE-2025-24513
- NVD Entry for CVE-2025-24514: https://nvd.nist.gov/vuln/detail/CVE-2025-24514

Thank you for your trust and understanding as we continue to prioritise your security.

Posted Mar 26, 2025 - 10:12 CET

This scheduled maintenance affected: Applications (VideoManager Pro, CorporateTube, Webcast, Analytics, LSPro) and Platform Services (Authentication and SSO).