This topic provides an overview of the vulnerability fixing feature of Security Center. You can use Security Center to detect and fix common vulnerabilities with a few clicks. You can view detected vulnerabilities and manually perform scan tasks on the Vulnerabilities page. Then, you can check the security status of your assets.

Background information

Vulnerabilities refer to flaws in operating system implementation or security policies. Attackers can exploit vulnerabilities to access the data on your servers or undermine the security of your servers. We recommend that you fix detected vulnerabilities at the earliest opportunity to protect your assets.

For more information about the vulnerability fixing feature supported by each edition of Security Center, see Vulnerability fixing.

Security Center can detect the following types of vulnerabilities:

Vulnerability fixing principles

If you use the vulnerability fixing feature in the Security Center console, the system automatically downloads the patch package for fixing vulnerabilities to a dedicated directory. The system deletes the package three days after the vulnerabilities are fixed.
  • Linux software vulnerabilities

    When you fix Linux software vulnerabilities, the YUM utility of Linux automatically downloads, installs, and deletes the patch package. No manual operations are required.

  • Windows system vulnerabilities

    When you fix Windows system vulnerabilities with a few clicks, the Security Center agent automatically downloads, installs, and deletes the patch package. No manual operations are required. If the patch package is not deleted three days after the vulnerabilities are fixed, manually delete the patch package. For more information, see How do I delete a Windows patch from the directory of the Security Center agent?

Operating systems that support vulnerability scans

Operating system Version
CentOS CentOS 5, CentOS 6, and CentOS 7
Ubuntu Ubuntu 14, Ubuntu 16, and Ubuntu 18
Windows Server Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019

Vulnerability statistics

To view vulnerability statistics, log on to the Security Center console and click Runtime Vul Fixes in the left-side navigation pane. On the Vulnerabilities page, you can view the following information:

  • Vul Servers
    Click the number below Vul Servers to go to the Server(s) tab of the Assets page. On this tab, you can view the details about the servers on which vulnerabilities are detected. Vul Servers
  • Recommended Fix (CVE)
    Click the number below Recommended Fix (CVE) to go to the Recommended Fix (CVE) panel. In the Recommended Fix (CVE) panel, you can view and fix the vulnerabilities with High priorities. Recommended Fix (CVE)
  • Fixing
    Click the number below Fixing to go to the Fixing panel. In the Fixing panel, you can view the affected assets and the fix progress. Fixing
  • Fixed Today and Total Fixed
    Click the number below Fixed Today or Total Fixed to go to the Fixed Today or Total Fixed panel. You can view information about the assets exposed to the vulnerabilities that are in the Fixing or Fixed state. Fixed vulnerabilities
    You can perform the following operations:
    • View related processes: Click the Related process icon icon in the Related process column to view the processes or service systems that may be affected when Security Center is fixing the vulnerability.
    • View the details about the Alibaba Cloud vulnerability library: Click a CVE ID in the Vul (cve) column to view details about the vulnerability in the Alibaba Cloud vulnerability library.
      If multiple vulnerabilities are detected on an asset, the number of the vulnerabilities is displayed in the Vul (cve) column. If you want to view the details about a vulnerability, move the pointer over the displayed CVE ID and click the CVE ID. Vul (cve) column
    • View the details about a vulnerability fix: Click Details in the Actions column to view the descriptions and risks of the vulnerability fix. Details
    • Undo a vulnerability fix: If you have created a snapshot for an asset, you can undo the fixes of vulnerabilities on this asset. To undo a fix, click Undo Fix in the Actions column, select the snapshot that you have created, and then click OK.
      Note You can undo only the fixes of Linux software vulnerabilities.
  • Latest System Vul Time
    View the last time when a vulnerability scan task was performed.
    Note If you want to manually scan newly purchased Elastic Compute Service (ECS) instances at an unscheduled time, click Scan now to start the scan task. For more information, see Quick scan.

References

Scan cycles

What are the differences between baselines and vulnerabilities?

What can I do if I cannot enable the vulnerability detection feature for a server on the Assets page?