Security Center uses Linux repositories to provide closed-loop vulnerability detection and fixes, as well as a comprehensive reference for you to fix vulnerabilities.

Considerations

  • For security

    When a vulnerability is detected, we recommend that you fix the vulnerability to harden your assets and improve the security of your system.

  • For stability

    To fix a vulnerability, you need to run code or commands on your assets to install patches for running applications or core components of the operating system. This operation restarts the affected assets, which may cause business interruptions. In production environments or other environments that require high stability, you must plan fixes based on their threat level to minimize downtime.

Information provided by Security Center

Vulnerability scan levels

In the left-side navigation pane, choose Precaution > Vulnerabilities. On the Vulnerabilities page that appears, all unfixed Linux software vulnerabilities are displayed, as shown in the following figure. To view the vulnerabilities of a certain level or fixed vulnerabilities, you can select the desired search criteria in the search box.

To adjust Vul scan level, you can click Settings in the upper right corner of the Vulnerabilities page, and then select Vul scan level as required. You can view vulnerabilities of specific levels on the Vulnerabilities page only after you select the required level here. For example, if you only select High, you can only view high vulnerabilities on the Vulnerabilities page.

Software vulnerabilities with similar causes that occur in a specific period are fixed in a patch that is officially released. Patches used to fix vulnerabilities are labeled with vulnerability announcement ID. On the Vulnerabilities page, vulnerabilities are displayed by their announcements.

Vulnerability announcement ID format

The vulnerability announcements of Red Hat series, such as Red Hat Enterprise Linux and CentOS, start with RHSA. The vulnerability announcements of Ubuntu series of Canonical start with USN. A vulnerability announcement contains the name of a software product on which the vulnerability is detected. The vulnerability announcements from the Red Hat series use the severity levels that are specified by Red Hat. Security Center takes these levels into account when determining the fix order.

Vulnerability tags

Security Center marks the characteristics of each vulnerability in their announcements and displays it in tags next to the announcement.

Tags include Restart Required, Exploit Exists, Code Execution, Elevation of Privilege, and Remotely Exploitable.

After you click a vulnerability announcement, the following pane appears:

CVE information

You can click a common vulnerability and exposures (CVE) ID to view the technical details of the CVE.

Vulnerability details

You can click Details in the Actions column that corresponds to a vulnerability to view its cause.

Related process

You can click the icon in the Related process column to check whether the software package affected by this vulnerability is loaded.

  • If the icon is gray, it indicates that the software package affected by this vulnerability is not loaded.
  • If the icon is blue, you can click the icon to view the process loading relationship.

Vulnerability fix

You can fix vulnerabilities on the Detail page in the Security Center console. Multiple vulnerabilities can be fixed at the same time.

Follow-up operations

You must verify a vulnerability fix after it is completed. Then Security Center shows whether the vulnerability is fixed.

After you fix Linux kernel vulnerabilities, you need to restart the system for the fix to take effect.