Introduction
VMware Aria Automation is a platform designed to simplify and automate IT operations, enabling organizations to efficiently manage and scale their infrastructure. It is quite huge piece that consists many services within and gives us really many opportunities for different kind of integration. One of it is Action Based Extensibility (ABX) Actions which refers to a customizable action or task that can be integrated into the automation workflows. These actions extend the platform’s capabilities beyond its built-in functions, allowing users to incorporate their own custom scripts, third-party tools, or unique processes into the automation process.
This “extensibility action” is actually what I’m using quite often and last days I noticed that one of my Python extensibility action failed many times due to some errors related to urllib3 module. I validated the logs and saw an error message in relation to the version of OpenSSL used to compile one of the dependencies:
ImportError: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the ‘ssl’ module is compiled with ‘OpenSSL 1.0.2y-fips 16 Feb 2021’. See: https://github.com/urllib3/urlib3/issues/2168
Understanding the Bug
This issue is related to the version of the urllib3 module provided within the polyglot functionality.
The TLS situation in Python has considerably improved since the early years of urllib3 and now urllib3 module took advantage of new features but still accepts OpenSSL versions that don’t have SNI, for example. OpenSSL currently supports:
- Version 1.1.1 will be supported until 2023-09-11 (LTS).
- Version 1.0.2 is no longer supported. Extended support for 1.0.2 to gain access to security fixes for that version is available.
- Versions 1.1.0, 1.0.1, 1.0.0 and 0.9.8 are no longer supported.
And what’s more Python 3.10+ will require OpenSSL 1.1.1+ to work properly. There are really very limited situations where we will have unsupported versions working together so let’s assume overall concept is fine.
The suggested workaround for the moment is to use an older release of urllib3 to provide support for the earlier version of OpenSSL.
Resolution Steps
If you are using Action Based Extensibility (ABX) Actions to run the Python code and experience this error follow below steps to fix the bug.
The main thing is to force Python to use urllib3 module in version lower than 2, so to do this you can define this in two ways:
- Set dependency of module equal specific version number:
- Set dependency of module less than version 2:
There is also a VMware KB article to assist you with how to workaround the issue: https://kb.vmware.com/s/article/92237. You can get familiar with it of course but is is more less the same presented above.
Conclusions
In a world where technology evolves at a rapid pace, security must remain a top priority for individuals and organizations alike. The VMware Aria Automation bug is actually not VMware bug but only proves that security is an ongoing journey. It highlights the never ending development on different technologies – in this example Python language – to safeguard online platforms. We all have a role to play in maintaining a secure digital landscape and stay informed about changes and new features to protect our solutions accordingly.