Security Center uses Linux repositories to provide closed-loop vulnerability detection and fixes, as well as a comprehensive reference for you to fix vulnerabilities.
If a vulnerability is detected, we recommend that you install the required patch to fix the vulnerability and harden the security of your assets.
To fix a vulnerability, you may need to run code or commands on your assets to install patches for running applications or the core components of operating systems. This operation restarts the affected application or operating system, which may cause service interruptions. In production environments or other environments that require high stability, you must plan vulnerability fixes based on their threat level to minimize downtime.
Information about vulnerability-related features provided by Security Center
All Security Center editions, including the Basic edition, support the vulnerability detection feature. If you have not purchased a paid edition, you can use the Basic edition to detect vulnerabilities. For more information, see Introduction to Security Center Basic.
Software vulnerabilities that have similar causes and occur in a specific period are fixed by using an officially released patch. Patches used to fix vulnerabilities are labeled with vulnerability announcement IDs. On the Vulnerabilities page, vulnerabilities are displayed by announcement.
Format of a vulnerability announcement
The vulnerability announcements of distributions developed by Red Hat, such as Red Hat Enterprise Linux and CentOS, start with RHSA. The vulnerability announcements of the Ubuntu distribution developed by Canonical start with USN. A vulnerability announcement contains the name of a software product on which the vulnerability is detected. The vulnerability announcements of distributions developed by Red Hat contain the severity levels that are specified by Red Hat. Security Center takes these levels into account when Security Center determines the sequence of vulnerability fixes.
Tags include Restart Required, Exploit Exists, Code Execution, Elevation of Privilege, and Remotely Exploitable.
View CVE information
You can click a Common Vulnerabilities and Exposures (CVE) ID to view the technical details of the CVE. The CVE ID is marked 1 in the preceding figure.
View vulnerability details
You can click Details in the Actions column that corresponds to a vulnerability to view its cause. The Details button is marked 2 in the preceding figure.
View related processes
You can move the pointer over the icon in the Related process column to check whether the package of software affected by this vulnerability is loaded and view the process loading relationship. The icon is marked 3 in the preceding figure.
- If the icon is dimmed, the package of software affected by this vulnerability is not loaded.
- If the icon is in blue, you can click the icon to view the process loading relationship.
You can fix vulnerabilities in the vulnerability details panel of the Security Center console. Multiple vulnerabilities can be fixed at a time.
- The Security Center Basic edition is activated for your Alibaba Cloud account.
None of the following Security Center editions is purchased: Anti-virus, Advanced, Enterprise, and Ultimate. By default, the Security Center Basic edition is activated for all Alibaba Cloud accounts.Note If you have purchased a paid edition of Security Center but did not renew the subscription after it expired, Security Center is automatically downgraded to the Basic edition. In this case, you cannot apply for a 7-day free trial of the Security Center Ultimate edition.
- You have not applied for a 7-day free trial of the Security Center Ultimate edition before.
- At least one Elastic Compute Service (ECS) instance is purchased.
What to do next
You must verify a vulnerability fix after the fix is complete. Then, the status of the vulnerability is updated in the Security Center console.
After you fix Linux kernel vulnerabilities, you must restart the operating system for the fixes to take effect.