Hi! I would like to get some opinions/checking on what I encountered upon scanning an AWS Linux server. I already posted this on stackexchange.
We have an Amazon Linux server and we scan it using OpenVAS. It detected one high vulnerability which is Amazon Linux Local Check: alas-2016-754 .
Looking at the solution it says Run yum update php70 to update your system.
The vulnerable package detected is:
Vulnerable package: gmp
Installed version: gmp-6.0.0-11.16.amzn1
Fixed version: gmp-7.0.11-1.16.amzn1
At first we don’t have php installed. So what we did is install latest version of php. Upon running the suggested solution the result is “No packages marked for update”.
We also did yum update.
After doing another scan the package is still detected by OpenVAS.
We installed the latest gmp version which is php70-gmp7.0.33-1.32.amzn1.x86_64 but it still gets flagged by OpenVAS.
What could possibly be the problem behind this? or what other ways that we can verify that this is a false positive?