The application vulnerability detection feature can detect common application vulnerabilities. This topic describes how to view and manage application vulnerabilities.

Limits

The application vulnerability detection feature has the following limits.

Limit Description
Asset type The application vulnerability detection feature supports only Alibaba Cloud Elastic Compute Service (ECS) instances. External servers or servers in data centers are not supported.
Edition Only the Enterprise edition of Security Center supports application vulnerability detection. The Basic, Basic Anti-virus, and Advanced editions do not support this feature.
Notice Security Center can only detect application vulnerabilities. It cannot fix the detected vulnerabilities. You must manually fix the vulnerabilities based on the suggestions that are displayed on the Detail tab.

View vulnerability information

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Application tab.
  4. On the Application tab, view all the application vulnerabilities detected by Security Center.
    Application vulnerabilities

    Perform the following operations based on your requirements:

    • Search for vulnerabilities
      On the Application tab, you can search for vulnerabilities by scan mode, vulnerability status, vulnerability severity, asset group, virtual private cloud (VPC) name, vulnerability name, server IP address, or server name. The scan modes include Web Scanner and Software Component Analysis. The vulnerability status includes Handled and Unhandled. The vulnerability severity includes High, Medium, and Low.Search for vulnerabilities
    • View vulnerabilitiesView announcements on application vulnerabilities
    • View vulnerability scan modes
      Security Center scans for application vulnerabilities based on the following methods:
      • Web Scanner: detects security vulnerabilities in your system by inspecting network traffic. For example, you can use this method to scan for SSH weak passwords and remote command execution.
      • Software Component Analysis: detects vulnerabilities in your system by identifying software versions. For example, you can use this method to scan for vulnerabilities of Apache Shiro authorization and kubelet resource management.
    • View the priorities of vulnerabilities and the number of affected assets
      The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability. The following section describes the relationship between colors and a priorities:
      • Red: High
      • Orange: Medium
      • Gray: Low
      Priority levels of application vulnerabilities and affected assets
      Note We recommend that you fix vulnerabilities with the High priority at the earliest opportunity.
    • Add vulnerabilities to the whitelist

      On the Application tab, you can select one or more vulnerabilities and click Add to Whitelist to add them to the whitelist. After you add the vulnerabilities to the whitelist, Security Center no longer generates alerts on these vulnerabilities.

      Vulnerabilities that are added to the whitelist are removed from the vulnerability list on the Application tab. You can click Settings in the upper-right corner of the page to view these vulnerabilities in the Vul Whitelist list.

      If you want Security Center to detect and generate alerts on a vulnerability that is added to the whitelist, select the vulnerability in the Vul Whitelist column in the Settings panel and click Remove.

      Vul Whitelist
    • Export vulnerabilities

      On the Application tab, you can click the Export icon icon to export all the application vulnerabilities detected by Security Center to your on-premises machine. The vulnerabilities are exported to Excel files.

      Note It may take a long time to export the vulnerabilities based on the size of vulnerability data.

View vulnerability details and manage vulnerabilities

Notice Security Center can only detect application vulnerabilities. It cannot fix the detected vulnerabilities. You must manually fix the vulnerabilities based on the suggestions that are displayed on the Detail tab.
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Application tab.
  4. Find the vulnerability that you want to view, and click the name of the vulnerability announcement or click Fix in the Actions column to go to the Detail tab.
  5. On the Detail tab, view and manage vulnerabilities.
    Perform the following operations based on your requirements:
    • View vulnerability details
      The Detail tab displays all vulnerabilities that are related to the vulnerability announcement and all affected assets. You can analyze and handle multiple vulnerabilities at a time. You can view the following information:
      • The Detail tab displays the related vulnerabilities, descriptions, impacts, and features.
      • The Pending vulnerability tab displays the assets that are affected by the vulnerabilities.

        You can view all the assets that are affected by the vulnerabilities and the vulnerability status. You can also manage vulnerabilities. For example, you can verify a vulnerability fix, add a vulnerability to the whitelist, ignore a vulnerability, or restore an ignored vulnerability.

      Vulnerability details

      You can click the name of an asset in the Affected Assets column to go to the Assets > Vulnerabilities > Application tab. On the tab, view vulnerability details.

    • View details of the Alibaba Cloud vulnerability library

      On the Detail tab, find the vulnerability that you want to view and click CVE ID to go to the Alibaba Cloud vulnerability library. On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.

    • View vulnerability status

      The status of a vulnerability can be Handled or Unhandled.

      • Handled
        • Handled: The vulnerability is fixed.
        • Ignored: The vulnerability is ignored. Security Center no longer generates alerts on this vulnerability.
      • Unhandled
        • Unfixed: The vulnerability is to be fixed.
        • Verifying: After the verification is performed, the vulnerability status changes to Verifying.
        Note By default, all the unhandled vulnerabilities are displayed in the application vulnerability list.
    • Verify vulnerabilities

      After you manually fix a vulnerability based on the suggestions provided on the Detail tab, click Verify to check whether the vulnerability is fixed. Find the vulnerability that you want to verify and click Verify in the Actions column.

      After you click Verify, the %;state of the vulnerability changes to Verifying. It takes several seconds to verify the vulnerability fix.

      The following list shows the two possible results:
      • Verification succeeded: The state of the vulnerability changes to Fixed. You can view the vulnerability in the Handled vulnerability list.
      • Verification failed: The state of the vulnerability changes to Unfixed. This indicates that the vulnerability has not been fixed. We recommend that you troubleshoot the issue and handle the vulnerability at the earliest opportunity.
    • Ignore vulnerabilities

      If you do not want Security Center to generate alerts on some vulnerabilities, ignore these vulnerabilities. On the Detail tab, select the vulnerability that you want to ignore and click Ignore in the Actions column. Security Center no longer generates alerts on this vulnerability.

      Note The status of this vulnerability changes to Ignored. If you want Security Center to generate alerts on an ignored vulnerability, click the vulnerability in the Handled vulnerability list and click Unignore on the Detail tab.

Types of vulnerabilities that Security Center can detect

Vulnerability type Check item
Weak passwords in system services OpenSSH services
MySQL database services
MSSQL database services
MongoDB database services
FTP, VSFTP, and ProFTPD services
Memcache cache services
Redis caching services
Subversion control services
Server Message Block (SMB) file sharing services
Simple Mail Transfer Protocol (SMTP) email delivery services
Post Office Protocol 3 (POP3) email reception services
Internet Message Access Protocol (IMAP) email management services
Vulnerabilities in system services OpenSSL heartbleed vulnerabilities
SMB
  • Samba
  • Brute-force attacks against weak passwords
RSYNC
  • Anonymous access to sensitive data
  • Brute-force attacks against password-based authentication
Brute-force attacks against VNC passwords
Brute-force attacks against pcAnywhere passwords
Brute-force attacks against ApsaraDB for Redis passwords
Vulnerabilities in application services phpMyAdmin weak passwords
Tomcat console weak passwords
Apache Struts 2 remote command execution vulnerabilities
Apache Struts 2 remote command execution vulnerability (S2-046)
Apache Struts 2 remote command execution vulnerability (S2-057)
Arbitrary file uploads in ActiveMQ (CVE-2016-3088)
Arbitrary file reads in Confluence
CouchDB Query Server remote command execution
Discuz! Brute-force attacks against administrator weak passwords
Unauthorized access to Docker
Remote code execution in Drupal Drupalgeddon 2 (CVE-2018-7600)
ECshop code execution vulnerabilities in logon endpoints
Unauthorized access to Elasticsearch
Elasticsearch MvelRCE CVE-2014-31
Elasticsearch Groovy RCE CVE-2015-1427
Expression Language (EL) Injection in Weaver OA
Unauthorized access to Hadoop YARN ResourceManager
Path traversal in JavaServer Faces 2
Java deserialization in JBoss EJBInvokerServlet
Anonymous access to Jenkins Manage (CVE-2018-1999001 and CVE-2018-1999002)
Unauthorized access to Jenkins
Jenkins Script Security Plugin RCE
Unauthorized access to Kubernetes
SQL injection vulnerabilities in the MetInfo getPassword interface
SQL injection vulnerabilities in the MetInfo logon interface
Arbitrary file uploads in PHPCMS 9.6
PHP-CGI remote code execution vulnerabilities
Actuator unauth RCE
ThinkPHP_RCE_20190111
Server-side request forgery (SSRF) in WebLogic UDDI Explorer
SSRF in WordPress xmlrpc.php
Brute-force attacks against the Zabbix web console
OpenSSL heartbleed vulnerabilities
Unauthorized access to the WEB-INF directory in Apache Tomcat

References

How often does Security Center detect vulnerabilities?

What are the differences between baselines and vulnerabilities?

What do I do if I cannot enable the vulnerability detection feature for a server on the Assets page?