PRESENTS Vitess security audit In collaboration with the Vitess maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski com> Date: June 5, 2023 This report is licensed under Creative Commons 4.0 (CC BY 4.0) Vitess Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project found 16 SLSA review 38 Conclusions 40 1 Vitess Security Audit, 2023 Executive summary In March and April 2023, Ada Logics carried out a security audit of Vitess. The primary focus of the audit was

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create reading from the master without a transaction is sufficient. To summarize, these are the various levels of consistency supported: • REPLICA/RDONLY read: Servers can be scaled geographically. Local reads

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reading from the master without a transaction is sufficient. To summarize, these are the various levels of consistency supported: • REPLICA/RDONLY read: Servers can be scaled geographically. Local reads shard. Support is underway for cross-shard Atomic transactions. As for atomicity, the following levels are supported: • SINGLE: disallow multi-db transactions. • MULTI: multi-db transactions with best

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reading from the master without a transaction is sufficient. To summarize, these are the various levels of consistency supported: • REPLICA/RDONLY read: Servers can be scaled geographically. Local reads shard. Support is underway for cross-shard Atomic transactions. As for atomicity, the following levels are supported: • SINGLE: disallow multi-db transactions. • MULTI: multi-db transactions with best

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create reading from the master without a transaction is sufficient. To summarize, these are the various levels of consistency supported: • REPLICA/RDONLY read: Servers can be scaled geographically. Local reads

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create reading from the master without a transaction is sufficient. To summarize, these are the various levels of consistency supported: • REPLICA/RDONLY read: Servers can be scaled geographically. Local reads

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create reading from the master without a transaction is sufficient. To summarize, these are the various levels of consistency supported: • REPLICA/RDONLY read: Servers can be scaled geographically. Local reads

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create reading from the master without a transaction is sufficient. To summarize, these are the various levels of consistency supported: • REPLICA/RDONLY read: Servers can be scaled geographically. Local reads

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 9 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify primary and replica databases, create reading from the primary without a transaction is sufficient. To summarize, these are the various levels of consistency supported: • REPLICA/RDONLY read: Servers can be scaled geographically. Local reads

for horizontal scaling of MySQL” From https://vitess.io/ This report documents the results of a security assessment targeting the Vitess software database scaler. Funded by the CNCF / The Linux Foundation may suggest some kind of test limitations, they in fact prove that the Vitess team delivers on the security promises they make. In Cure53’s view, there is a clear intention and follow-through on providing the test was dedicated to classic penetration testing. At this stage, it was verified whether the security promises made by Vitess in fact hold against real-life attack situations and malicious adversaries