- A critical security vulnerability (CVE-2021-3177) affecting Python 3 also affects Python 2.
- The vulnerability could allow attackers to access sensitive information or deny access to systems.
- We will issue a patch for Python 2 (as Python 2 has reached End of Life and is no longer maintained by the Python community.)
A patch for this vulnerability in Python 3 has been developed by the Python core team and will be made available in new Python language versions shortly. ActiveState will provide these new Python 3 versions on the ActiveState Platform as soon as they are available upstream. Separately, we have issued a fixed version for Python 2.7 that resolves this vulnerability as part of our Python 2 extended support.
Python Vulnerability & Fix Details
CVE-2021-3177 is a buffer overflow vulnerability in Python 3.x through 3.9.1 which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input. This occurs because sprintf is used unsafely.
The Python community has done a great job in fixing this vulnerability in source code repositories very quickly, and new versions of Python 3 containing this fix will be released soon. As always, ActiveState will wait for the official release from the Python Software Foundation before providing the newly fixed versions on our Platform. The ActiveState Platform will support Python 3.8.8 and 3.9.2 versions at a minimum and may provide 3.7 or 3.6 versions depending on demand.
We have also created a fix for Python 2.7.18 and will be issuing a new version to our Python 2 extended support customers. The source code for this fix is available for security experts and open source maintainers to review and incorporate into their projects
CVE Implications for Organizations
The implication of CVE-2021-3177 is that an attacker could exploit the vulnerability to trigger a denial of service or potentially run malicious code. Put another way, this is a classic buffer overrun exploit which allows attackers to remotely crash your application or exploit whatever system your application is deployed on. It is particularly important that your applications not be deployed with root privileges that would allow more scope for an attacker to target.
For businesses, this CVE means that an attacker may be able to access databases containing sensitive information such as customer records, financial data or confidential IP.
What makes this kind of vulnerability particularly dangerous is the difficulty in detecting it. If extensive code reviews of your web applications are impractical, penetration testing may be your best bet and should be performed for any applications that handle sensitive information.
Contact us for a free risk assessment of your Python 2 applications.
ActiveState Python Security Fixes
ActiveState has over 20 years of experience supporting Fortune 1000 enterprises and remains committed to resolving Python CVEs for our customers. Despite the fact that Python 2 reached End of Life in January 2020, ActiveState continues to provide extended support, affording our customers a safety net while they migrate or continue running their Python 2 applications.
Our engineering team continually monitors known Python CVE’s using a variety of sources including security alerts from the core language teams, vulnerability databases, and open source projects that track security issues in various ecosystems. Our fixes are built and code reviewed by our Python specialists and evaluated against the Python core or package that is being remediated, as well as all relevant versions of Windows, Linux and macOS before being made available – all of which is done through the ActiveState Platform, which serves as our internal build engineering system.