Description:

Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/oradditional functionalities of the newer version.


Rationale:

Newer versions may contain security enhancements and additional functionality. Using the latest software version is recommended in order to take advantage of enhancements and new capabilities. With each software installation, organizations need to determine if a given update meets their requirements. They must also verify the compatibility and support provided for any additional software against the update revision that is selected. Using the latest full version will keep your stack secure to vulnerabilities and exploits.


Impact:

If your app is written using version-dependent features or libraries, they may not be available on the latest version. If you wish to upgrade, research the impact thoroughly. Upgrading may have unforeseen consequences that could result in downtime.


Audit:

From Azure Console

1. From Azure Home open the Portal Menu in the top left

2. Go to App Services

3. Click on each App

4. Under Settings section, click on Configuration

5. Click on the General settings pane and ensure that for a Stack of Python, with

Major Version of Python 3, that the Minor Version is set to the latest stable

version available (Python 3.11, at the time of writing)


NOTE: No action is required if Python version is set to Off, as Python is not used by

your web app.


From Azure CLI

To check Python version for an existing app, run the following command

az webapp config show --resource-group <RESOURCE_GROUP_NAME> --name

<APP_NAME> --query

"{LinuxFxVersion:linuxFxVersion,WindowsFxVersion:windowsFxVersion,PythonVersi

on:pythonVersion}

The output should return the latest stable version of Python.


NOTE: No action is required if the output is empty, as Python is not used by your web

app.


From PowerShell

$app = Get-AzWebApp -Name <app name> -ResourceGroup <resource group name>

$app.SiteConfig |Select-Object LinuxFXVersion, WindowsFxVersion,

PythonVersion

Ensure the output of the above command shows the latest version of Python.


NOTE: No action is required if the output is empty, as Python is not used by your web

app.


Remediation:

From Azure Portal

1. From Azure Home open the Portal Menu in the top left

2. Go to App Services

3. Click on each App

4. Under Settings section, click on Configuration

5. Click on the General settings pane and ensure that the Major Version and the Minor Version is set to the latest stable version available (Python 3.11, at the time of writing)


NOTE: No action is required if Python version is set to Off, as Python is not used by your web app.


From Azure CLI

To see the list of supported runtimes:

az webapp list-runtimes

To set latest Python version for an existing app, run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME>

[--windows-fx-version "PYTHON|3.11"] [--linux-fx-version "PYTHON|3.11"]


From PowerShell

As of this writing, there is no way to update an existing application's SiteConfig or set the a new application's SiteConfig settings during creation via PowerShell.


Default Value:

The version of Python is whatever was selected upon App creation.


References:

1. https://docs.microsoft.com/en-us/azure/app-service/web-sites-configure#generalsettings

2. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediatesoftware-vulnerabilities

3. https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3- posture-vulnerability-management#pv-3-establish-secure-configurations-forcompute-resources

4. https://www.python.org/downloads/