1 Reply Latest reply on Dec 20, 2019 5:08 PM by Martien van den Akker

    WLST Jython support from Oracle

    user7458230

      From the end of the year Python 2 will no longer be supported. Python.org says:

       

      We are volunteers who make and take care of the Python programming language. We have decided that January 1, 2020, will be the day that we sunset Python 2. That means that we will not improve it anymore after that day, even if someone finds a security problem in it. You should upgrade to Python 3 as soon as you can.

       

      Since WLST is based on Jython, and Jython does not support Python 3 is it safe to assume that Oracle will continue to provide any security fixes needed for WLST and the underlying Jython platform?

        • 1. Re: WLST Jython support from Oracle
          Martien van den Akker

          Hi,

           

          I think this is a question for Oracle Support. What I say, know or suggest about it, it can't be used as any formal statement. Only Oracle can do it.

          But Jython is a completely separate implementation then Python, although it uses the same syntax. As you understand, it is implemented on the JVM. On https://www.jython.org/download.html I understand that the latest version is 2.7, so no version 3. Therefor, as I would say, the security issues in Python 2 are different then those in Jython.

           

          That being said, although WLST is based on Jython version 2x, (what ever version), it is part of Welogic. And therefor you may expect integral support on it. Just as well as on the fact that Weblogic uses loads of Apache, Eclipse, Glassfish and other libraries. It is the responsibility of Weblogic Development to have those upgraded to a security-save level, as far as it would make Weblogic unsafe. I do not think that Oracle/Weblogic will support the underlying Jython platform on its own, only within the context of Weblogic, so thus as far as it is used within Weblogic.

           

          Another thought: Jython in WLST is used to run the scripts and the commandline interface. Connection to Weblogic and executing Weblogic API's to read and update MBeans, are through Weblogic libraries. Jython is not used for online code/services. So as I see now, Jython in itself does not affect the security of a running Weblogic instance. But I feel that is a bit of tricky statement, because I do not have insight in the current recent, current known bugs in either Jython or Weblogic. But from architectural standpoint I conclude that the risk is low.

           

          So is it safe to state what you state? I think you should get that statement from Oracle Support.

           

          Kind regards,
          Martien