Amazon Linux 2 : python3 (ALAS-2018-1132)

Medium Nessus Plugin ID 119786

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM.(CVE-2018-14647)

Solution

Run 'yum update python3' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2018-1132.html

Plugin Details

Severity: Medium

ID: 119786

File Name: al2_ALAS-2018-1132.nasl

Version: 1.2

Type: local

Agent: unix

Published: 2018/12/20

Updated: 2018/12/21

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:python3, p-cpe:/a:amazon:linux:python3-debug, p-cpe:/a:amazon:linux:python3-debuginfo, p-cpe:/a:amazon:linux:python3-devel, p-cpe:/a:amazon:linux:python3-libs, p-cpe:/a:amazon:linux:python3-test, p-cpe:/a:amazon:linux:python3-tkinter, p-cpe:/a:amazon:linux:python3-tools, cpe:/o:amazon:linux:2

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 2018/12/19

Reference Information

CVE: CVE-2018-14647

ALAS: 2018-1132