Security is Vital for Vitess!
The Open Source Technology Improvement Fund, in collaboration with Ada Logics, is proud to announce the results of a successful security audit for Vitess. Born at Youtube in 2010 to help scale up database interactions, Vitess eventually moved under the umbrella of Cloud Native Computing Foundation, graduating at CNCF in 2019. Used in over 50 projects, Vitess’s functions of scaling, workflow, and shard management are critical for growing applications that see thousands, sometimes millions, of users daily.
VTAdmin is a new aspect of Vitess, and as such the whole of the component was considered during this audit as an artifact for security review. During this audit Ada Logics ran with a five point list of goals, including manual code review, a threat model, improving Vitess’s fuzzing suite, and a SLSA grade. Of the moderate vulnerabilities that were reported, two CVEs had the potential to allow malicious users to block other users from using the full capabilities of VTAdmin or Vitess. For example, stopping others from creating shards. Two of the fuzzers created by Ada Logics for Vitess were directly inspired by these two CVEs, and were immediately implemented.
Described further in the report are details of VTAdmin’s attack surface, SLSA compliance, and all 12 vulnerabilities disclosed during the process of the audit.
OSTIF extends its deep gratitude to Deepthi Sigireddi and the entire Vitess Maintainer team as well as David Korczyzski and Adam Korczynski of Ada Logics. Further thanks to CNCF for their gracious funding of this audit and continued work in open source security.
See Ada Logics’s blog: https://adalogics.com/blog/vitess-security-audit-2023
See Vitess’s blog: https://vitess.io/blog/2023-06-05-vitess-security-audit
See the Cloud Native Computing Foundation’s blog: https://www.cncf.io/blog/2023/06/05/vitess-security-audit-results/
Vitess Security Audit Full Report: https://ostif.org/wp-content/uploads/2023/06/OSTIF-Adalogics-Vitess-Security-Audit-2023.pdf