https://www.ory.sh/ logo
#talk-hydra
Title
# talk-hydra
c

colossal-megabyte-84131

04/12/2022, 8:45 AM
Hi I have question regarding Hydra external dependencies in context of CVE-2022-0778, we are using image v1.10.7-sqlite. I see there is build docker with CGO enabled: https://github.com/ory/hydra/blob/e5295c6bb7188978ba6310c049f33c47a407d7a7/.docker/Dockerfile-build#L11 I wonder if Hydra is actually somehow using OpenSSL in a way that CVE actually apply?
s

steep-lamp-91158

04/12/2022, 8:51 AM
I can confirm that the image is build using cgo we don't use openssl directly, but maybe go stdlib will use it? does the alpine version of that image contain a vulnerable openssl version?
c

colossal-megabyte-84131

04/12/2022, 8:52 AM
If I'm looking correctly it uses 3.14.2
s

steep-lamp-91158

04/12/2022, 8:56 AM
I see, latest release uses
3.15
but I am not sure what it actually uses in the end 🤔
maybe you could submit a PR to bump alpine to
3.15.4
and we can release a new version later on?
c

colossal-megabyte-84131

04/12/2022, 8:58 AM
the main think I'm looking for if Hydra is doing potential certifcate parsing that could cause the described dos
if it's using other library to do this could you point me there so I can evaluete if this is an issue for the release that we are using?
talking about X.509 certificates to be precise
s

steep-lamp-91158

04/12/2022, 9:05 AM
I don't think we use it as go libraries typically don't use c dependencies randomly, and you can compile hydra without cgo without a problem but I'd have to check
w

white-greece-76805

04/12/2022, 10:30 AM
go uses its own tls library, it doesn't use openssl
hence it is possible to use a go app with all cryptographic features in a scratch container