PRESENTS Vitess security audit In collaboration with the Vitess maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski com> Date: June 5, 2023 This report is licensed under Creative Commons 4.0 (CC BY 4.0) Vitess Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project found 16 SLSA review 38 Conclusions 40 1 Vitess Security Audit, 2023 Executive summary In March and April 2023, Ada Logics carried out a security audit of Vitess. The primary focus of the audit was

. . . . . . 32 Build the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Run the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create

. . . . . . 83 Build the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Run the docker image . . . . . . . . . . . . . . . . . . . . . 91 Vttestserver Docker Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Get the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Run the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

. . . . . 103 Build the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Run the docker image . . . . . . . . . . . . . . . . . . . . 110 Vttestserver Docker Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Get the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Run the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

. . . . . . 44 Build the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Run the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . auto_increment_offset NotSupported binlog_direct_non_transactional_updates NotSupported binlog_row_image NotSupported binlog_rows_query_log_events NotSupported innodb_ft_enable_stopword NotSupported inn

. . . . . . 71 Build the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Run the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . auto_increment_offset NotSupported binlog_direct_non_transactional_updates NotSupported binlog_row_image NotSupported binlog_rows_query_log_events NotSupported 21 System variable Handled innodb_ft_enable_stopword

. . . . . . 81 Build the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Run the docker image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . auto_increment_offset NotSupported binlog_direct_non_transactional_updates NotSupported binlog_row_image NotSupported binlog_rows_query_log_events NotSupported innodb_ft_enable_stopword NotSupported 22

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Image Source The Vitess code is hosted on GitHub. This repository is called upstream. You develop and commit your changes in a clone of our upstream repository (shown as local in the image above) authentication plugin. Support for caching_sha2_password can be tracked in #5399. 44 Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . this page. Otherwise, you may skip it. Our GitHub workflow is a so called triangular workflow: Image Source: https://github.com/blog/2042-git-2-5-including-multiple-worktrees-and-triangular-workflows You develop and commit your changes in a clone of our upstream repository (shown as local in the image above). Then you push your changes to your forked repository (origin) and send us a pull request.

for horizontal scaling of MySQL” From https://vitess.io/ This report documents the results of a security assessment targeting the Vitess software database scaler. Funded by the CNCF / The Linux Foundation may suggest some kind of test limitations, they in fact prove that the Vitess team delivers on the security promises they make. In Cure53’s view, there is a clear intention and follow-through on providing the test was dedicated to classic penetration testing. At this stage, it was verified whether the security promises made by Vitess in fact hold against real-life attack situations and malicious adversaries