PRESENTS Vitess security audit In collaboration with the Vitess maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski com> Date: June 5, 2023 This report is licensed under Creative Commons 4.0 (CC BY 4.0) Vitess Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project found 16 SLSA review 38 Conclusions 40 1 Vitess Security Audit, 2023 Executive summary In March and April 2023, Ada Logics carried out a security audit of Vitess. The primary focus of the audit was

horizontal scaling of MySQL” From https://vitess.io/ This report documents the results of a security assessment targeting the Vitess software database scaler. Funded by the CNCF / The Linux Foundation, this interaction, low-level protocol analysis and multi-angled penetration testing. Prior to the assessment, a CNCF-typical setup was requested by the testers and provided by the development team channel was used for arising questions and further inspiration for the test. An initial assessment of the interfaces and the system architecture, supported also by additional exchange with the development

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create Reverse the lock order here. – then rollout a configuration to just use the new service. Transport Security Model Vitess exposes a few RPC services, and internally also uses RPCs. These RPCs may use secure

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create Reverse the lock order here. – then rollout a configuration to just use the new service. Transport Security Model Vitess exposes a few RPC services and internally uses RPCs. These RPCs can optionally utilize

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create d authentication plugin. Support for caching_sha2_password can be tracked in #5399. Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create d authentication plugin. Support for caching_sha2_password can be tracked in #5399. Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create d authentication plugin. Support for caching_sha2_password can be tracked in #5399. Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 9 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify primary and replica databases, create d authentication plugin. Support for caching_sha2_password can be tracked in #5399. Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . authentication plugin. Support for caching_sha2_password can be tracked in #5399. 44 Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client the lock order here. – then rollout a configuration to just use the new service. 60 Transport Security Model Vitess exposes a few RPC services, and internally also uses RPCs. These RPCs may use secure

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d authentication plugin. Support for caching_sha2_password can be tracked in #5399. Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client Reverse the lock order here. – then rollout a configuration to just use the new service. Transport Security Model Vitess exposes a few RPC services, and internally also uses RPCs. These RPCs may use secure