PRESENTS Vitess security audit In collaboration with the Vitess maintainers, Open Source Technology Improvement Fund and The Linux Foundation Authors Adam Korczynski David Korczynski com> Date: June 5, 2023 This report is licensed under Creative Commons 4.0 (CC BY 4.0) Vitess Security Audit, 2023 Table of contents Table of contents 1 Executive summary 2 Notable findings 3 Project found 16 SLSA review 38 Conclusions 40 1 Vitess Security Audit, 2023 Executive summary In March and April 2023, Ada Logics carried out a security audit of Vitess. The primary focus of the audit was

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MySQL exposes. Vitess handles system variables in one of four different ways: • No op. For some settings, Vitess will just silently ignore the setting. This is for system variables that don’t make much already set. These are settings that should not change, but Vitess will allow SET statements that try to set the variable to whatever it already is. • Not supported. For these settings, attempting to change

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MySQL exposes. Vitess handles system variables in one of four different ways: • No op. For some settings, Vitess will just silently ignore the setting. This is for system variables that don’t make much already set. These are settings that should not change, but Vitess will allow SET statements that try to set the variable to whatever it already is. • Not supported. For these settings, attempting to change

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . combination with vtctld). Using client-server is recommended, as it provides an additional layer of security when using the client remotely. Using vtctl, you can identify master and replica databases, create it catch up. Relying on replication also allows you to loosen some of the disk-based durability settings. For example, you can turn off sync_binlog, which greatly reduces the number of IOPS to the disk

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MySQL exposes. Vitess handles system variables in one of four different ways: • No op. For some settings, Vitess will just silently ignore the setting. This is for system variables that don’t make much already set. These are settings that should not change, but Vitess will allow SET statements that try to set the variable to whatever it already is. • Not supported. For these settings, attempting to change

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MySQL exposes. Vitess handles system variables in one of four different ways: • No op. For some settings, Vitess will just silently ignore the setting. This is for system variables that don’t make much already set. These are settings that should not change, but Vitess will allow SET statements that try to set the variable to whatever it already is. • Not supported. For these settings, attempting to change

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 9 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MySQL exposes. Vitess handles system variables in one of four different ways: • No op. For some settings, Vitess will just silently ignore the setting. This is for system variables that don’t make much already set. These are settings that should not change, but Vitess will allow SET statements that try to set the variable to whatever it already is. • Not supported. For these settings, attempting to change

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . rows in set (0.01 sec) It is recommended to configure the MySQL command line to default to these settings, as the user guides omit -h 127.0.0.1 -P 15306 for brevity. Paste the following: cat << EOF > ~/ port=15306 EOF Repeating the previous step, you should now be able to use the mysql client without any settings: ~/my-vitess -example > mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Transport Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . it catch up. Relying on replication also allows you to loosen some of the disk-based durability settings. For example, you can turn off sync_binlog, which greatly reduces the number of IOPS to the disk authentication plugin. Support for caching_sha2_password can be tracked in #5399. 44 Transport Security To configure VTGate to support TLS set -mysql_server_ssl_cert and -mysql_server_ssl_key. Client

for horizontal scaling of MySQL” From https://vitess.io/ This report documents the results of a security assessment targeting the Vitess software database scaler. Funded by the CNCF / The Linux Foundation may suggest some kind of test limitations, they in fact prove that the Vitess team delivers on the security promises they make. In Cure53’s view, there is a clear intention and follow-through on providing the test was dedicated to classic penetration testing. At this stage, it was verified whether the security promises made by Vitess in fact hold against real-life attack situations and malicious adversaries