The application vulnerability detection feature can detect major application vulnerabilities. This topic describes how to view and manage application vulnerabilities.

Limits

The application vulnerability detection feature has the following limits.

Limit Description
Asset type The application vulnerability detection feature supports only Alibaba Cloud Elastic Compute Service (ECS) instances. External servers or servers in on-premises data centers are not supported.
Edition Only the Enterprise edition of Security Center supports application vulnerability detection. The Basic, Basic Anti-virus, and Advanced editions do not support this feature.
Notice Security Center can only detect application vulnerabilities. You must manually fix the vulnerabilities based on the suggestions provided on the Detail tab.

View vulnerability information

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Application tab.
  4. On the Application tab, view all the application vulnerabilities detected by Security Center.
    Application vulnerabilities

    Perform the following operations based on your needs:

    • Filter vulnerabilities
      On the Application tab, you can filter vulnerabilities by scan mode, vulnerability status, vulnerability priority, asset group, virtual private cloud (VPC), vulnerability name, server IP address, or server name. The scan modes include Web Scanner and Software Component Analysis. The vulnerability status includes Handled and Unhandled. The vulnerability priorities include High, Medium, and Low.Filter vulnerabilities
    • View vulnerability announcementsView application vulnerabilities
    • View vulnerability scan modes
      Security Center scans for application vulnerabilities based on the following methods:
      • Web Scanner: detects security vulnerabilities in your system based on network traffic. For example, scan for SSH weak passwords and remote command execution.
      • Software Component Analysis: detects vulnerabilities in your system based on software versions. For example, scan for Apache Shiro authentication vulnerabilities and denial-of-service attacks on kubelet.
    • View vulnerability priorities
      The number of vulnerabilities with different priorities are displayed in different colors.
      • Red: High priority.
      • Orange: Medium priority.
      • Gray: Low priority.
      Priority levels of application vulnerabilities and affected assets
      Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
    • Add vulnerabilities to the whitelist

      On the Application tab, you can select one or more vulnerabilities and click Add to Whitelist to add them to the whitelist. After you add the vulnerabilities to the whitelist, Security Center no longer generates alerts on these vulnerabilities.

      Vulnerabilities that are added to the whitelist are removed from the vulnerability list on the Application tab. You can click Settings in the upper-right corner to view these vulnerabilities in the Vul Whitelist list.

      If you want Security Center to detect and generate alerts on a vulnerability that is already added to the whitelist, select the vulnerability on the Settings page and click Remove to remove the vulnerability from the whitelist.

      The Settings page
    • Export vulnerabilities

      On the Application tab, you can click The Export icon to export all the application vulnerabilities detected by Security Center to your on-premises machine. The exported file is in the Excel format.

      Note It may take some time to export the vulnerability records, depending on the file size.

View and manage vulnerabilities

Notice Security Center can only detect application vulnerabilities. You must manually fix the vulnerabilities based on the suggestions provided on the Detail tab.
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Application tab.
  4. Find the vulnerability you want to view, and click the name of the vulnerability or click Fix in the Actions column. The details page of the vulnerability appears.
  5. On the Detail tab, view and manage vulnerabilities.
    Perform the following operations based on your needs:
    • View vulnerabilities
      The Detail tab displays information about related vulnerabilities and assets that are affected by these vulnerabilities. You can analyze and manage multiple vulnerabilities at a time. You can view the following information:
      • The Detail tab displays the related vulnerabilities, descriptions, impacts, and features.
      • The Pending vulnerability tab displays the assets that are affected by the vulnerabilities.

        You can view all the assets affected by the vulnerabilities and the vulnerability status. You can also manage vulnerabilities. For example, you can verify a vulnerability fix, add a vulnerability to the whitelist, ignore a vulnerability, or restore an ignored vulnerability.

      Vulnerability details

      You can click the name of an asset in the Affected Assets column to go to the Application tab. You can also choose Assets > Vulnerabilities > Application. On the Application tab, view vulnerability details.

    • View vulnerability details in the Alibaba Cloud vulnerability library

      On the Detail tab, you can find the vulnerability that you want to view and click the CVE ID to go to the Alibaba Cloud vulnerability library. This library displays detailed information about the vulnerability, including the vulnerability description, basic information, and solution.

    • View vulnerability status

      The status of a vulnerability can be Handled or Unhandled.

      • Handled
        • Handled: The vulnerability is fixed.
        • Ignored: The vulnerability is ignored. Security Center no longer generates alerts on this vulnerability.
      • Unhandled
        • Unfixed: The vulnerability is not fixed.
        • Verifying: The vulnerability has been fixed. If a system restart is required, you can verify the fix after you restart the system.
        Note By default, all the unhandled vulnerabilities appear in the application vulnerability list.
    • Verify vulnerabilities

      After you manually fix a vulnerability based on the suggestions provided on the Detail tab, click Verify to check whether the vulnerability is fixed. Find the vulnerability that you want to verify and click Verify in the Actions column.

      After you click Verify, the status of the vulnerability changes to Verifying. Vulnerability verification takes several seconds.

      The following list shows the two possible results.
      • Verification succeeded: The status of the vulnerability changes to Fixed. You can view the vulnerability in the Handled vulnerability list.
      • Verification failed: The status of the vulnerability remains Unfixed. We recommend that you troubleshoot the issue and handle the vulnerability in a timely manner.
    • Ignore vulnerabilities

      If you do not want Security Center to generate alerts on some vulnerabilities, ignore the vulnerabilities. On the Application tab, you can select one or more vulnerabilities, and click Ignore. Security Center no longer generates alerts on the vulnerabilities that are ignored.

      Note After you Ignore a vulnerability, the status of the vulnerability changes to Ignored. If you want Security Center to generate alerts on an ignored vulnerability, select the vulnerability in the Handled vulnerability list and click Cancel ignore.

Types of vulnerabilities that Security Center can detect

Vulnerability type Check item
Weak passwords for system logons OpenSSH
MySQL
Microsoft SQL Server
MongoDB
FTP, VSFTP, and ProFTPD
Memcache
Redis
Subversion
Server Message Block (SMB)
Simple Mail Transfer Protocol (SMTP)
Post Office Protocol 3 (POP3)
Internet Message Access Protocol (IMAP)
Vulnerabilities in systems OpenSSL Heartbleed
SMB
  • Samba
  • Brute-force attacks on weak passwords
RSYNC
  • Anonymous access that causes sensitive data breaches
  • Brute-force attacks on authenticated passwords
Brute-force attacks for VNC logons
Brute-force attacks for pcAnywhere logons
Brute-force attacks for Redis logons
Vulnerabilities in application services Weak passwords for phpMyAdmin logons
Weak passwords for Tomcat logons
Apache Struts 2 remote command execution vulnerabilities
Apache Struts 2 remote command execution vulnerability (S2-046)
Apache Struts 2 remote command execution vulnerability (S2-057)
Arbitrary file uploads in ActiveMQ (CVE-2016-3088)
Arbitrary file read operations in Confluence
Remote command execution in Apache CouchDB
Discuz! Brute-force attacks on weak passwords of administrator accounts
Unauthorized access to Docker
Remote code execution in Drupal Drupalgeddon 2 (CVE-2018-7600)
Remote code execution in ECshop
Unauthorized access to Elasticsearch
Elasticsearch MvelRCE CVE-2014-31
Elasticsearch Groovy RCE CVE-2015-1427
Expression Language (EL) Injection in Weaver OA
Unauthorized access to Hadoop YARN Resource Manager
Path traversal in JavaServer Faces 2
Java deserialization in JBoss EJBInvokerServlet
Anonymous access to Jenkins (CVE-2018-1999001 and CVE-2018-1999002)
Unauthorized access to Jenkins
Jenkins Script Security Plugin RCE
Unauthorized access to Kubernetes
SQL injection caused by calling the getPassword operation in MetInfo
SQL injection caused by calling the login operation in MetInfo
Arbitrary file uploads in PHPCMS 9.6
PHP-CGI remote code execution
Actuator unauth RCE
ThinkPHP_RCE_20190111
Server-side request forgery (SSRF) in WebLogic UDDI Explorer
SSRF in WordPress xmlrpc.php
Brute-force attacks on Zabbix
OpenSSL Heartbleed
Unauthorized access to the WEB-INF directory in Apache Tomcat