Dr.-Ing. Mario Heiderich, Cure53
Bielefelder Str. 14
D 10709 Berlin
cure53.de · mario@cure53.de
Pentest-Report Vitess 02.2019
Cure53, Dr.-Ing. M. Heiderich, M. Wege, MSc. N. Krein, MSc. D. Weißer, J. Larsson
Index
Introduction
Scope
Test Methodology
Phase 1. Manual Code Auditing
Phase 2. Code-Assisted Penetration Testing
Miscellaneous Issues
VIT-01-001 MySQL: Comparison of Auth Token allows timing Attacks (Info)
VIT-01-002 MySQL: Timing attacks due to plain-text password auth (Low)
VIT-01-003 PII: Not all SQL values covered by SQL redaction (Low)
Conclusions
Introduction
“Vitess is a database clustering system for horizontal scaling of MySQL”
From https://vitess.io/
This report documents the results of a security assessment targeting the Vitess software
database scaler. Funded by the CNCF / The Linux Foundation, this project was carried
out by Cure53 in February 2019 and revealed only three miscellaneous findings.
In terms of resources, the test was completed by six members of the Cure53 team who
worked within a time budget of eighteen days. The testers are considered very
experienced in their respective fields and have considerable expertise in regard to
system complexity, cloud infrastructure, source code auditing, operating system
interaction, low-level protocol analysis and multi-angled penetration testing.
Prior to the assessment, a CNCF-typical setup was requested by the testers and
provided by the development team. Besides furnishing Cure53 with a Kubernetes-based
cluster, locally installed systems were also used for testing. Access to all relevant code
and documentation was granted. While the first project meeting provided the basis for
the audit, a more ad-hoc kick-off meeting ensured that no major hurdles emerged. A
Cure53, Berlin · 03/08/19 1/9
评论0
最新资源