#talk-hydra
Title
c
colossal-megabyte-84131
04/12/2022, 8:45 AMHi I have question regarding Hydra external dependencies in context of CVE-2022-0778, we are using image v1.10.7-sqlite. I see there is build docker with CGO enabled: https://github.com/ory/hydra/blob/e5295c6bb7188978ba6310c049f33c47a407d7a7/.docker/Dockerfile-build#L11
I wonder if Hydra is actually somehow using OpenSSL in a way that CVE actually apply?
s
steep-lamp-91158
04/12/2022, 8:51 AM
I can confirm that the image is build using cgo
we don't use openssl directly, but maybe go stdlib will use it? does the alpine version of that image contain a vulnerable openssl version?
c
colossal-megabyte-84131
04/12/2022, 8:52 AMIf I'm looking correctly it uses 3.14.2
and it's fixed in alpine 3.15.1 https://www.linuxcompatible.org/story/alpine-linux-3151-released/
s
steep-lamp-91158
04/12/2022, 8:56 AM
I see, latest release uses
3.15maybe you could submit a PR to bump alpine to
3.15.4c
colossal-megabyte-84131
04/12/2022, 8:58 AMthe main think I'm looking for if Hydra is doing potential certifcate parsing that could cause the described dos
if it's using other library to do this could you point me there so I can evaluete if this is an issue for the release that we are using?
talking about X.509 certificates to be precise
s
steep-lamp-91158
04/12/2022, 9:05 AM
I don't think we use it as go libraries typically don't use c dependencies randomly, and you can compile hydra without cgo without a problem
but I'd have to check
w
white-greece-76805
04/12/2022, 10:30 AMgo uses its own tls library, it doesn't use openssl
hence it is possible to use a go app with all cryptographic features in a scratch container