Security Center uses Linux repositories to provide closed-loop vulnerability detection and fixes, as well as a comprehensive reference for you to fix vulnerabilities.
Considerations
- For security
When a vulnerability is detected, we recommend that you fix the vulnerability to harden your assets and improve the security of your system.
- For stability
To fix a vulnerability, you need to run code or commands on your assets to install patches for running applications or core components of the operating system. This operation restarts the affected assets, which may cause business interruptions. In production environments or other environments that require high stability, you must plan fixes based on their threat level to minimize downtime.
Information provided by Security Center
Vulnerability scan levels
In the left-side navigation pane, choose Vulnerabilities page that appears, all unfixed Linux software vulnerabilities are displayed, as shown in the following figure. To view the vulnerabilities of a certain level or fixed vulnerabilities, you can select the desired search criteria in the search box.
. On theTo adjust Vul scan level, you can click Settings in the upper right corner of the Vulnerabilities page, and then select Vul scan level as required. You can view vulnerabilities of specific levels on the Vulnerabilities page only after you select the required level here. For example, if you only select High, you can only view high vulnerabilities on the Vulnerabilities page.
Software vulnerabilities with similar causes that occur in a specific period are fixed in a patch that is officially released. Patches used to fix vulnerabilities are labeled with vulnerability announcement ID. On the Vulnerabilities page, vulnerabilities are displayed by their announcements.
Vulnerability announcement ID format
The vulnerability announcements of Red Hat series, such as Red Hat Enterprise Linux and CentOS, start with RHSA. The vulnerability announcements of Ubuntu series of Canonical start with USN. A vulnerability announcement contains the name of a software product on which the vulnerability is detected. The vulnerability announcements from the Red Hat series use the severity levels that are specified by Red Hat. Security Center takes these levels into account when determining the fix order.
Vulnerability tags
Security Center marks the characteristics of each vulnerability in their announcements and displays it in tags next to the announcement.
Tags include Restart Required, Exploit Exists, Code Execution, Elevation of Privilege, and Remotely Exploitable.
After you click a vulnerability announcement, the following pane appears:
CVE information
You can click a common vulnerability and exposures (CVE) ID to view the technical details of the CVE.
Vulnerability details
You can click Details in the Actions column that corresponds to a vulnerability to view its cause.
Related process
You can click the icon in the Related process column to check whether the software package affected by this vulnerability is loaded.
- If the icon is gray, it indicates that the software package affected by this vulnerability is not loaded.
- If the icon is blue, you can click the icon to view the process loading relationship.
Vulnerability fix
You can fix vulnerabilities on the Detail page in the Security Center console. Multiple vulnerabilities can be fixed at the same time.
Follow-up operations
You must verify a vulnerability fix after it is completed. Then Security Center shows whether the vulnerability is fixed.
After you fix Linux kernel vulnerabilities, you need to restart the system for the fix to take effect.