PRESENTS Vitess security audit In collaboration with the Vitess maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski com> Date: June 5, 2023 This report is licensed under Creative Commons 4.0 (CC BY 4.0) Vitess Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project found 16 SLSA review 38 Conclusions 40 1 Vitess Security Audit, 2023 Executive summary In March and April 2023, Ada Logics carried out a security audit of Vitess. The primary focus of the audit was

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create Reverse the lock order here. – then rollout a configuration to just use the new service. Transport Security Model Vitess exposes a few RPC services, and internally also uses RPCs. These RPCs may use secure

for horizontal scaling of MySQL” From https://vitess.io/ This report documents the results of a security assessment targeting the Vitess software database scaler. Funded by the CNCF / The Linux Foundation may suggest some kind of test limitations, they in fact prove that the Vitess team delivers on the security promises they make. In Cure53’s view, there is a clear intention and follow-through on providing the test was dedicated to classic penetration testing. At this stage, it was verified whether the security promises made by Vitess in fact hold against real-life attack situations and malicious adversaries

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create Reverse the lock order here. – then rollout a configuration to just use the new service. Transport Security Model Vitess exposes a few RPC services and internally uses RPCs. These RPCs can optionally utilize

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create d authentication plugin. Support for caching_sha2_password can be tracked in #5399. Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create d authentication plugin. Support for caching_sha2_password can be tracked in #5399. Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create d authentication plugin. Support for caching_sha2_password can be tracked in #5399. Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 9 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify primary and replica databases, create d authentication plugin. Support for caching_sha2_password can be tracked in #5399. Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . authentication plugin. Support for caching_sha2_password can be tracked in #5399. 44 Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client the lock order here. – then rollout a configuration to just use the new service. 60 Transport Security Model Vitess exposes a few RPC services, and internally also uses RPCs. These RPCs may use secure

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d authentication plugin. Support for caching_sha2_password can be tracked in #5399. Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client Reverse the lock order here. – then rollout a configuration to just use the new service. Transport Security Model Vitess exposes a few RPC services, and internally also uses RPCs. These RPCs may use secure