Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

07:30 PM
Connect Directly

Continued Use of Python 2 Will Heighten Security Risks

With support for the programming language no longer available, organizations should port to Python 3, security researches say.

Nearly five months after the Python Software Foundation finally ended support for the Python 2 programming language, many developers are continuing to use it, heightening security risks for their organizations in the process.

Support for Python 2 ended Jan. 1, 2020. The Python Software Foundation has stopped making any improvement updates or security fixes for it and has urged everyone using Python 2 to move to Python 3.

The decision means that organizations using Python 2 will most likely be on their own if any major security issues — new and legacy — were to suddenly crop up in the software. Security issues that are discovered in Python 3 will not be checked against Python 2, leaving organizations vulnerable to potential attacks.

"If people find catastrophic security problems in Python 2 or in software written in Python 2, then most volunteers will not help fix them," the Python Software Foundation had bluntly noted in its Python 2 end-of-life announcement.

Python 2.0 was released in 2000 and continues to be a popular programming language among developers. Though its use has been declining in recent years, a relatively high percentage of Python apps in enterprises are based on Python 2.

In fact, as recently as June 2019 — and long after the Python Software Foundation had announced Python 2's end of life — the most popular Python packages being downloaded from the Python Package Index were still Python 2 versions.

"Even if only a portion of these downloads are being used in live projects, the Python 2 EOL could potentially affect the security of millions of systems," the UK's National Cyber Security Institute had warned in a blog last August.

A survey of 1,200 individuals conducted by ActiveState between last October and November showed 31% of organizations didn't have a plan to migrate to Python 3. Thirty-seven percent of the respondents said more than half of all Python apps in their organizations were based on Python 2. About 48% of the organizations using it were small, with less than 100 employees. But nearly one in three (29%) organizations using Python had 1,000 or more employees.

"Python 2 is used very widely in enterprise settings," says Thomas Hatch, CTO and co-founder at SaltStack, a provider of IT automation software. "It is not used to create new code nearly as often as Python 3 today, but it is still widely developed and deployed."

One reason has to do with a "if it ain't broke, don't fix it mentality," security analysts say. In many cases, organizations have been successfully using Python 2 for years without incident. It also has had very few security issues.

Since 2008, Python 2 and Python 3 together have only had 49 vulnerabilities, with 20 labeled as memory corruption, code execution, or overflows, says Shane Fry, VP of security engineering at RunSafe Security. "[That] is a super low number of CVEs compared to other popular software packages," he says.

Hatch agreed. "Python2 has been rock-solid," he says. Researchers have audited Python 2 for security issues many times over the years and haven't found a critical vulnerability in a long time. So "while it is strongly encouraged to upgrade all active code to Python3, it is not a crisis situation," Hatch says.

Code Inertia
Security stability and code inertia are not the only reasons why some organizations have been slow to port from Python 2 to Python 3. Another major reason is that many organizations are struggling to find Python 3 packages that offer the same functionality they have come to rely on from Python 2 counterparts, says Jeff Rouse, vice president of product at ActiveState.

"In addition, for large codebases, the changeover can be painstakingly long to do and requires substantial investment," Rouse says.

Other reasons that ActiveState's customers have offered for slow or delayed migration to Python 3 include challenges associated with the need to support Python 2 applications while also migrating to Python 3, learning to code in Python 3, and managing expectations, he says.

"Python 2 is proving to be a particularly difficult habit to kick," Rouse says. Until recently, many popular operating systems, including MacOS, continued to incorporate Python 2 as the default installation. Other operating systems, such as Debian and SUSE, supported both Python 2 and 3 out of the box. In fact, it wasn't until June 2017 that Python 3 users started outnumbering Python 2 users, Rouse notes.

Jonn Callahan, principal security consultant at application security provider nVisium, says even though an organization may not currently have any issues with Python 2, it still is a good idea to port to Python 3. Not updating a technology just because it works is what results in organizations accumulating insurmountable amounts of technical debt, Callahan notes.

"The truth is, applications require regular maintenance, even if nothing 'new' is being introduced," he says.

Importantly, although there is no data to support increased researcher or attacker interest in targeting Python 2, Python itself is one of the most widely used languages in the creation of both malware programs and security tools, Rouse says. So as technology advances and attacking techniques evolve, so must the code to repel them.

"A core programming language needs continual maintenance to remain secure," he notes. Importantly, using unsupported code could raise compliance issues both internally and externally with regard to mandates such as PCI DSS, ActiveState has noted.

While many organizations might have good reasons not to want to migrate to Python 3, the task of moving from Python 2 has also become much easier over the years, SaltStack's Hatch says.  

"The main issue in the past was having to wait for support libraries to move to Python 3, but this has been done with virtually all maintained Python libraries at this point," Hatch says. In addition, many tools are currently available that allow organizations to scan and upgrade large portions of Python 2 code for them, he says.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "5 Ways to Prove Security's Worth in the Age of COVID-19"

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/30/2020 | 6:16:49 PM
Hanging on by a Thread
This end date of Jan 2020 is not that far in the past. There are certain applications that are utilized well after their support life cycle has ended referred to as legacy. With this being said, I wouldn't be surprised if Python 2 doesn't go away for quite some time.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...