Hi! I would like to get some opinions/checking on what I encountered upon scanning an AWS Linux server. I already posted this on stackexchange.
We have an Amazon Linux server and we scan it using OpenVAS. It detected one high vulnerability which is Amazon Linux Local Check: alas-2016-754 .
Looking at the solution it says Run yum update php70 to update your system.
The vulnerable package detected is:
Vulnerable package: gmp
Installed version: gmp-6.0.0-11.16.amzn1
Fixed version: gmp-7.0.11-1.16.amzn1
At first we don’t have php installed. So what we did is install latest version of php. Upon running the suggested solution the result is “No packages marked for update”.
We also did yum update.
After doing another scan the package is still detected by OpenVAS.
We installed the latest gmp version which is php70-gmp7.0.33-1.32.amzn1.x86_64 but it still gets flagged by OpenVAS.
What could possibly be the problem behind this? or what other ways that we can verify that this is a false positive?
It seems this (and all other Amazon Linux LSCs) got created and submitted by a 3rdparty contributor some years ago.
When comparing the code of the problematic 2016/alas-2016-754.nasl with other PHP related LSCs created for Amazon Linux like e.g. the one in 2016/alas-2016-698.nasl it seems the Generator used by this contributor is / was buggy and created a wrong version checks like e.g.:
The Amazon Linux LSCs affected by this bug got updated accordingly and should be shipped in the feed with one of the next feed updates (The Amazon Linux Local Check: alas-2016-754 VT should have version 2019-07-02T09:11:25+0000 which is the fixed version).
Please let us know if this is solving your seen issue.