Preventing issues when installing Python
Bravura Security Fabric has a requirement for the interpreter our code uses for scripted automation and some integrations for a specific Python version series, which was available when the specific version was developed; however, the Python project does not provide binaries for their latest security releases, only code.
This article addresses that requirement, its installation settings, and our mitigation for the Python project's lack of security releases in binary form.
When the Python project releases code for security fixes (CVEs), they are usually for obscure features and use cases which Bravura Security Fabric is not using,; however customer auditors have to check their checklists and make sure the production environments are as secure as possible.
Reason for requirement
Each new version series of Python introduces syntax changes, and updating a growing body of code to a new interpreter generation takes months of dedicated work, which is why you cannot use a newer Python release series in an older Bravura Security Fabric instance. Unless you restrict security releases to the Python version required by each specific version of Bravura Security Fabric, you risk functionality failures in the product.
This is also relevant during in-place upgrades.
Before running the installer to a new version of Bravura Security Fabric , when the product services are down, the Python interpreter version required for the new instance must be installed, and the old version must be removed to prevent accidental use of it in the new version.
On servers where different versions of Bravura Security Fabric have to run, the Python path in the environment variables available for each instance's service accounts and the instance's instance.bat have to be manually adjusted (the installer doesn't handle that use case.)
Solution
Upgrade to the latest released version of Bravura Security Fabric with its relevant Python version.
If a security audit suggests a Python upgrade to a different version than the one documented to work with your Bravura Security Fabric version, do not follow that advice as it will break product functionality. Instead,it is recommended to compile the Python security release relevant to the product version.
To install correctly:
Always use the 64-bit version of the installer (the .exe or .msi has "amd64" in the filename)
Run the installer with elevated privileges (e.g. as Administrator)
An alternative to running the installer manually and checking the right boxes in the msiexec GUI is to automate the installation from an elevated command prompt like this:
python-3.5.3-amd64.exe /quiet InstallAllUsers=1 AssociateFiles=1 PrependPath=1 Include_test=0
If using the GUI:
Choose the Add Python to PATH option whenever the installer provides it.
Choose Customize installation if the install path doesn't look like the one in the screenshot below (right under Program Files, to be sure it's available for all users)
Select "Install for all users" in all places in the Python installer; it will have to be installed in C:\Program Files\PythonXX\, and be available in the Windows System PATH (especially as an environment variable under the psadmin account or whatever the service account of the instance is);
XXindicates the version, so Python 3.5 would be installed in C:\Program Files\Python35\
Mitigation
If you cannot upgrade the instance yet and have to use a Bravura Security Fabric version that uses an older Python version:
Check if the Python project still provides binaries for the latest release of the 3.x.* version required by your Bravura Security Fabric version.
If the binaries are not available at the link above for the latest security release, contact Support to reference CCB-154 in Jira to get you a newer 3.5, 3.7 or 3.10 Python version with more security patches (3.5.8 or newer, 3.7.10 or newer, 3.10.12 or newer) built by Bravura Security.
Note that when you install such a version for which the Python project doesn't provide binaries, you can not check the boxes for debugging symbols and debug binaries (the Bravura Security Fabric installer does not contain them, and neither does the Python website):
