Hi I have question regarding Hydra external depend...
# talk-hydrac
colossal-megabyte-84131
04/12/2022, 8:45 AMHi I have question regarding Hydra external dependencies in context of CVE-2022-0778, we are using image v1.10.7-sqlite. I see there is build docker with CGO enabled: https://github.com/ory/hydra/blob/e5295c6bb7188978ba6310c049f33c47a407d7a7/.docker/Dockerfile-build#L11
I wonder if Hydra is actually somehow using OpenSSL in a way that CVE actually apply?
s
steep-lamp-91158
04/12/2022, 8:51 AM
I can confirm that the image is build using cgo
we don't use openssl directly, but maybe go stdlib will use it? does the alpine version of that image contain a vulnerable openssl version?
c
colossal-megabyte-84131
04/12/2022, 8:52 AMIf I'm looking correctly it uses 3.14.2
colossal-megabyte-84131
04/12/2022, 8:54 AMand it's fixed in alpine 3.15.1 https://www.linuxcompatible.org/story/alpine-linux-3151-released/
s
steep-lamp-91158
04/12/2022, 8:56 AM
I see, latest release uses
3.15steep-lamp-91158
04/12/2022, 8:57 AM
maybe you could submit a PR to bump alpine to
3.15.4c
colossal-megabyte-84131
04/12/2022, 8:58 AMthe main think I'm looking for if Hydra is doing potential certifcate parsing that could cause the described dos
colossal-megabyte-84131
04/12/2022, 8:59 AMif it's using other library to do this could you point me there so I can evaluete if this is an issue for the release that we are using?
colossal-megabyte-84131
04/12/2022, 8:59 AMtalking about X.509 certificates to be precise
s
steep-lamp-91158
04/12/2022, 9:05 AM
I don't think we use it as go libraries typically don't use c dependencies randomly, and you can compile hydra without cgo without a problem
but I'd have to check
w
white-greece-76805
04/12/2022, 10:30 AMgo uses its own tls library, it doesn't use openssl
white-greece-76805
04/12/2022, 10:31 AMhence it is possible to use a go app with all cryptographic features in a scratch container