The application vulnerability detection feature can detect common application vulnerabilities. This topic describes how to view and handle application vulnerabilities.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. If you do not use these editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Feature.

Limits

  • Security Center can detect application vulnerabilities, but it cannot fix the detected application vulnerabilities. You must manually fix the vulnerabilities on your servers by following Suggestions on the Detail tab.
  • Security Center provides two modes to scan application vulnerabilities: Web Scanner and Software Component Analysis. The two modes have the following limits:
    • Web Scanner: scans only the servers that can access the Internet and have the Security Center agent installed. The servers can be Elastic Compute Service (ECS) instances or the servers that are not deployed on Alibaba Cloud.
    • Software Component Analysis: scans the servers that have the Security Center agent installed. The servers can be ECS instances or the servers that are not deployed on Alibaba Cloud.

View the basic information about a vulnerability

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Application tab.
  4. On the Application tab, view all the application vulnerabilities that are detected by Security Center.
    Application vulnerability

    You can perform the following operations on the tab:

    • Search for vulnerabilities

      On the Application tab, you can search for vulnerabilities by severity level, vulnerability status, scan mode, asset group, virtual private cloud (VPC) name, or vulnerability name. The severity level can be high, medium, or low. The vulnerability status can be handled or unhandled. The scan mode can be web scanner or software component analysis. You can also search for vulnerabilities by server IP address or server name.

    • View vulnerabilities
    • View vulnerability scan modes
      Security Center scans for application vulnerabilities based on the following methods:
      • Web Scanner: inspects network traffic to detect vulnerabilities in your system. For example, you can use this method to scan for SSH weak passwords and remote command execution.
      • Software Component Analysis: identifies software versions to detect vulnerabilities in your system. For example, you can use this method to scan for vulnerabilities of Apache Shiro authorization and Kubernetes kubelet resource management.
    • View the priorities of vulnerabilities and the number of affected assets
      The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability. The following list describes the relationship between colors and priorities:
      • Red: High
      • Orange: Medium
      • Gray: Low
      Priorities of application vulnerabilities and affected assets
      Note We recommend that you fix vulnerabilities with the High priority at the earliest opportunity.
    • Add vulnerabilities to the whitelist

      On the Application tab, you can select one or more vulnerabilities and click Add to Whitelist to add them to the whitelist. Security Center no longer generates alerts on the vulnerabilities that are added to the whitelist.

      Vulnerabilities that are added to the whitelist are not displayed in the vulnerability list on the Application tab. If you want to view these vulnerabilities, you can click Settings in the upper-right corner of the Vulnerabilities page and find the vulnerabilities in the Vul Whitelist section.

      If you want Security Center to detect and generate alerts on a vulnerability that is added to the whitelist, select the vulnerability in the Vul Whitelist section in the Settings panel and click Remove.

      Vul Whitelist
    • Export vulnerabilities

      On the Application tab, you can click the Export icon icon to export and save all detected vulnerabilities to your computer. The vulnerabilities are exported to an Excel file.

      Note The time to export the vulnerabilities varies based on the size of vulnerability data.

View vulnerability details and handle vulnerabilities

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Application tab.
  4. In the Vulnerability column, click the name of the vulnerability that you want to handle, or click Fix in the Actions column of the vulnerability that you want to handle to go to the panel that shows the vulnerability details.
  5. In the panel, view and handle the vulnerability.
    You can perform the following operations:
    • View vulnerability details
      The panel displays all the affected assets and vulnerabilities associated with the vulnerability. You can analyze and handle multiple vulnerabilities at a time. You can view the following information:
      • On the Detail tab, you can view the associated vulnerabilities, descriptions, impacts, and characteristics.
      • On the Pending vulnerability tab, you can view the assets that are affected by this vulnerability.

        You can view the assets affected by the vulnerability and the status of the vulnerability. You can also verify a vulnerability fix, add a vulnerability to the whitelist, ignore a vulnerability, or restore an ignored vulnerability.

      Vulnerability details

      Click an asset in the Affected Assets column to go to the Vulnerabilities tab of the Assets page. Then, click the Application tab to view the information about all application vulnerabilities associated with this asset.

    • View the details about the Alibaba Cloud vulnerability library

      On the Detail tab, find the vulnerability that you want to view and click CVE ID to go to the Alibaba Cloud vulnerability library. On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.

    • View vulnerability status

      The status of a vulnerability can be Handled or Unhandled.

      • Handled
        • Handled: The vulnerability is fixed.
        • Ignored: The vulnerability is ignored. Security Center no longer generates alerts on this vulnerability.
      • Unhandled
        • Unfixed: The vulnerability is to be fixed.
        • Verifying: After you start the verification, the state of the vulnerability changes to Verifying.
        Note By default, all the unhandled vulnerabilities are displayed in the application vulnerability list.
    • Verify vulnerability fixes

      After you manually fix a vulnerability based on the Suggestions that are displayed on the Detail tab, click Verify to check whether the vulnerability is fixed. Find the vulnerability for which you want to verify the fix and click Verify in the Actions column.

      After you click Verify, the %;state of the vulnerability changes to Verifying. It takes several seconds to verify the vulnerability fix.

      The following list shows the two possible results:
      • Verification succeeded: The state of the vulnerability changes to Fixed. You can view the vulnerability in the Handled vulnerability list.
      • Verification failed: The state of the vulnerability changes to Unfixed. This indicates that the vulnerability has not been fixed. We recommend that you troubleshoot the issue and handle the vulnerability at the earliest opportunity.
    • Ignore vulnerabilities

      If you do not want Security Center to generate alerts on some vulnerabilities, you can ignore these vulnerabilities. Select the vulnerability that you want to ignore and click Ignore in the Actions column. Security Center no longer generates alerts on this vulnerability.

      Note The state of this vulnerability changes to Ignored. If you want Security Center to generate alerts on an ignored vulnerability, find the vulnerability in the Handled vulnerability list and click Unignore in the panel.

Application vulnerabilities that can be detected

Vulnerability type Check item
Weak passwords in system services OpenSSH services
MySQL database services
Microsoft SQL Server (MSSQL) database services
MongoDB database services
FTP, VSFTP, and ProFTPD services
Memcache cache services
Redis caching services
Subversion control services
Server Message Block (SMB) file sharing services
Simple Mail Transfer Protocol (SMTP) email delivery services
Post Office Protocol 3 (POP3) email reception services
Internet Message Access Protocol (IMAP) email management services
Vulnerabilities in system services OpenSSL heartbleed vulnerabilities
SMB
  • Samba
  • Brute-force attacks against weak passwords
RSYNC
  • Anonymous access to sensitive data
  • Brute-force attacks against password-based authentication
Brute-force attacks against VNC passwords
Brute-force attacks against pcAnywhere passwords
Brute-force attacks against Redis passwords
Vulnerabilities in application services phpMyAdmin weak passwords
Tomcat console weak passwords
Apache Struts 2 remote command execution vulnerabilities
Apache Struts 2 remote command execution vulnerability (S2-046)
Apache Struts 2 remote command execution vulnerability (S2-057)
Arbitrary file uploads in ActiveMQ (CVE-2016-3088)
Arbitrary file reads in Confluence
CouchDB Query Server remote command execution
Discuz!Brute-force attacks against administrator weak passwords
Unauthorized access to Docker
Remote code execution in Drupal Drupalgeddon 2 (CVE-2018-7600)
ECshop code execution vulnerabilities in logon endpoints
Unauthorized access to Elasticsearch
Elasticsearch MvelRCE CVE-2014-31
Elasticsearch Groovy RCE CVE-2015-1427
Expression Language (EL) Injection in Weaver OA
Unauthorized access to Hadoop YARN ResourceManager
Path traversal in JavaServer Faces 2
Java deserialization in JBoss EJBInvokerServlet
Anonymous access to Jenkins Manage (CVE-2018-1999001 and CVE-2018-1999002)
Unauthorized access to Jenkins
Jenkins Script Security Plugin RCE
Unauthorized access to Kubernetes
SQL injection vulnerabilities in the MetInfo getPassword interface
SQL injection vulnerabilities in the MetInfo logon interface
Arbitrary file uploads in PHPCMS 9.6
PHP-CGI remote code execution vulnerabilities
Actuator unauth RCE
ThinkPHP_RCE_20190111
Server-side request forgery (SSRF) in WebLogic UDDI Explorer
SSRF in WordPress xmlrpc.php
Brute-force attacks against the Zabbix web console
OpenSSL heartbleed detection
Unauthorized access to the WEB-INF directory in Apache Tomcat

References

Scan cycles

What are the differences between baselines and vulnerabilities?

What can I do if I cannot enable the vulnerability detection feature for a server on the Assets page?