Headline
GHSA-pqj7-jx24-wj7w: VTAdmin users that can create shards can deny access to other functions
Impact
Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error.
Attempting to view the keyspace(s) will also no longer work.
Creating a shard using vtctldclient does not have the same problem because the CLI validates the input correctly.
Patches
v16.0.2, corresponding to 0.16.2 on pkg.go.dev
Workarounds
- Always use
vtctldclientto create shards, instead of using VTAdmin - Disable creating shards from VTAdmin using RBAC
- Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called
a/bin keyspacecommerce, and you are running etcd, it can be deleted by doing something like
% etcdctl --endpoints "http://${ETCD_SERVER}" del /vitess/global/keyspaces/commerce/shards/a/b/Shard
References
https://github.com/vitessio/vitess/issues/12842
Found during a security audit sponsored by the CNCF and facilitated by OSTIF.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-29195
VTAdmin users that can create shards can deny access to other functions
Moderate severity GitHub Reviewed Published May 11, 2023 in vitessio/vitess • Updated May 11, 2023
Package
gomod vitess.io/vitess (Go)
Affected versions
< 0.16.2
Impact
Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error.
Attempting to view the keyspace(s) will also no longer work.
Creating a shard using vtctldclient does not have the same problem because the CLI validates the input correctly.
Patches
v16.0.2, corresponding to 0.16.2 on pkg.go.dev
Workarounds
Always use vtctldclient to create shards, instead of using VTAdmin
Disable creating shards from VTAdmin using RBAC
Delete the topology record for the offending shard using the client for your topology server. For example, if you created a shard called a/b in keyspace commerce, and you are running etcd, it can be deleted by doing something like
% etcdctl --endpoints “http://${ETCD_SERVER}” del /vitess/global/keyspaces/commerce/shards/a/b/Shard
References
vitessio/vitess#12842
Found during a security audit sponsored by the CNCF and facilitated by OSTIF.
References
- GHSA-pqj7-jx24-wj7w
- vitessio/vitess#12842
- vitessio/vitess#12843
- vitessio/vitess@9dcbd7d
- https://github.com/vitessio/vitess/releases/tag/v16.0.2
- https://pkg.go.dev/vitess.io/[email protected]
Published to the GitHub Advisory Database
May 11, 2023
Last updated
May 11, 2023
Related news
Vitess is a database clustering system for horizontal scaling of MySQL through generalized sharding. Prior to version 16.0.2, users can either intentionally or inadvertently create a shard containing `/` characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspace(s) will also no longer work. Creating a shard using `vtctldclient` does not have the same problem because the CLI validates the input correctly. Version 16.0.2, corresponding to version 0.16.2 of the `go` module, contains a patch for this issue. Some workarounds are available. Always use `vtctldclient` to create shards, instead of using VTAdmin; disable creating shards from VTAdmin using RBAC; and/or delete the topology record for the offending shard using the client for your topology server.