Security Center uses Linux repositories to provide closed-loop vulnerability detection and fixes, as well as a comprehensive reference for you to fix vulnerabilities.

Considerations

  • Security

    If a vulnerability is detected, we recommend that you install the required patch to fix the vulnerability and harden the security of your assets.

  • Stability

    To fix a vulnerability, you may need to run code or commands on your assets to install patches for running applications or the core components of operating systems. This operation restarts the affected application or operating system, which may cause service interruptions. In production environments or other environments that require high stability, you must plan vulnerability fixes based on their threat level to minimize downtime.

Information about vulnerability-related features provided by Security Center

Vulnerability detection

All Security Center editions, including the Basic edition, support the vulnerability detection feature. If you have not purchased a paid edition, you can use the Basic edition to detect vulnerabilities. For more information, see Introduction to Security Center Basic.

In the left-side navigation pane of the Security Center console, choose Precaution > Vulnerabilities. On the Vulnerabilities page, all unhandled Linux software vulnerabilities are displayed. To view the vulnerabilities of a specific priority or handled vulnerabilities, you can specify the search condition in the search box. Linux Software tab
To adjust Vul scan level, you can click Settings in the upper-right corner of the Vulnerabilities page and set Vul scan level based on your business requirements. You can view the vulnerabilities of a specific priority on the Vulnerabilities page only after you select the required priority. For example, if you select only High for Vul scan level, you can view vulnerabilities only of the High priority on the Vulnerabilities page. Vul scan level

Software vulnerabilities that have similar causes and occur in a specific period are fixed by using an officially released patch. Patches used to fix vulnerabilities are labeled with vulnerability announcement IDs. On the Vulnerabilities page, vulnerabilities are displayed by announcement.

Format of a vulnerability announcement

The vulnerability announcements of distributions developed by Red Hat, such as Red Hat Enterprise Linux and CentOS, start with RHSA. The vulnerability announcements of the Ubuntu distribution developed by Canonical start with USN. A vulnerability announcement contains the name of a software product on which the vulnerability is detected. The vulnerability announcements of distributions developed by Red Hat contain the severity levels that are specified by Red Hat. Security Center takes these levels into account when Security Center determines the sequence of vulnerability fixes.

Vulnerability tags

Security Center identifies the characteristics of vulnerabilities in their announcements and displays the characteristics in tags next to the announcements. Vulnerability tags

Tags include Restart Required, Exploit Exists, Code Execution, Elevation of Privilege, and Remotely Exploitable.

After you click a vulnerability announcement, the panel that shows vulnerability details appears. Detail tab

View CVE information

You can click a Common Vulnerabilities and Exposures (CVE) ID to view the technical details of the CVE. The CVE ID is marked 1 in the preceding figure.

View vulnerability details

You can click Details in the Actions column that corresponds to a vulnerability to view its cause. The Details button is marked 2 in the preceding figure.

View related processes

You can move the pointer over the icon in the Related process column to check whether the package of software affected by this vulnerability is loaded and view the process loading relationship. The icon is marked 3 in the preceding figure.

  • If the icon is dimmed, the package of software affected by this vulnerability is not loaded.
  • If the icon is in blue, you can click the icon to view the process loading relationship. Process loading relationship

Vulnerability fixing

You can fix vulnerabilities in the vulnerability details panel of the Security Center console. Multiple vulnerabilities can be fixed at a time.

Only the Advanced, Enterprise, and Ultimate editions support the vulnerability fixing feature. Users of the Basic edition can apply for a 7-day free trial of the Ultimate edition to use the vulnerability fixing feature. After your application is approved, you can fix vulnerabilities in the Security Center console within seven days. You cannot use the vulnerability fixing feature seven days later. For more information about how to apply for a free trial, see Apply for a free trial of the Security Center Ultimate edition. Users of the Basic edition can apply for a free trial only when they meet the following conditions:
  • The Security Center Basic edition is activated for your Alibaba Cloud account.

    None of the following Security Center editions is purchased: Anti-virus, Advanced, Enterprise, and Ultimate. By default, the Security Center Basic edition is activated for all Alibaba Cloud accounts.

    Note If you have purchased a paid edition of Security Center but did not renew the subscription after it expired, Security Center is automatically downgraded to the Basic edition. In this case, you cannot apply for a 7-day free trial of the Security Center Ultimate edition.
  • You have not applied for a 7-day free trial of the Security Center Ultimate edition before.
  • At least one Elastic Compute Service (ECS) instance is purchased.
Detail tab

What to do next

You must verify a vulnerability fix after the fix is complete. Then, the status of the vulnerability is updated in the Security Center console.

After you fix Linux kernel vulnerabilities, you must restart the operating system for the fixes to take effect.