This topic provides answers to some commonly asked questions about vulnerability fixes, baseline checks, and cloud service configuration assessment.

How do I manually detect Linux software vulnerabilities on my servers?

You can manually detect Linux software vulnerabilities on your servers by using command lines. For more information, see How do I manually detect Linux software vulnerabilities?

We recommend that you use the detection feature that is provided by Security Center to detect Linux software vulnerabilities. This feature automatically detects vulnerabilities in a timely manner on a regular basis.

How do I view the current software version and vulnerability details?

Security Center assesses whether your server contains software vulnerabilities by comparing the system software version on your server with the software version that has Common Vulnerabilities and Exposures (CVE) vulnerabilities. To view vulnerability details of the current software version, choose one of the following methods:
  • View the current software version and vulnerability details in the Security Center console

    Log on to the Security Center console. In the left-side navigation pane, choose Precaution > Vulnerabilities. On the Vulnerabilities page, view the system software version and vulnerability details. For more information about the system software vulnerabilities, see The parameters of Linux software vulnerabilities.

  • View details of the current software version on your server
    You can also run a command to view details of the current software version:
    • CentOS

      Run the rpm -qa | grep xxx command. xxx specifies the name of the software package. For example, you can run the rpm -qa | grep bind-libs command to view the version details of the bind-libs software package.

    • Ubuntu and Debian
      Run the dpkg-query -W -f '${Package} -- ${Source}\n' | grep xxx command. xxx specifies the name of the software package. For example, you can run the dpkg-query -W | grep bind-libs command to view the version details of software package bind-libs.
      Note If the specified software package is not found, run the dpkg-query -W command to view all the software installed on your server.
    After you obtain the version details of the software, compare it with the details of the system software vulnerabilities that are detected by Security Center. In the details of a vulnerability, Software and Cause indicate the version of the current software and the reason why Security Center determines that your server has the vulnerability.
    Note After you update a piece of software, Security Center may collect the remaining files of the old software version and generate a vulnerability alert on the remaining files. In this case, we recommend that you ignore this alert. You can run the yum remove or apt-get remove command to delete the old software package. Before you delete the package, make sure that the old software version is no longer required by any workload or application.

How do I update kernel 3.1* to kernel 4.4 on Ubuntu 14.04?

Notice Risks may arise when you update the kernel. We recommend that you follow the instructions provided in Fix software vulnerabilities.
To update kernel 3.1* to kernel 4.4 on Ubuntu 14.04, perform the following steps:
  1. Run the uname -av command to check whether the kernel version is 3.1*.Confirm the kernel version
  2. Run the following commands to check whether the latest kernel update package is available:
    apt list | grep linux-image-4.4.0-94-generic
    apt list | grep linux-image-extra-4.4.0-94-generic
  3. If no update package is available, run the apt-get update command to obtain the latest update package.
  4. Run the following commands to install the update package:
    apt-get update && apt-get install linux-image-4.4.0-94-generic
    apt-get update && apt-get install linux-image-extra-4.4.0-94-generic
  5. After the update package is installed, restart the server to load the kernel.
  6. After the server is restarted, run the following commands to verify the update:
    • Run the uname -av command to query the current kernel version.Query the current kernel version
    • Run the dpkg -l | grep linux-image command to query the details of the current kernel.Query the details of the current kernel

Is a system restart required after I fix a vulnerability?

  • Windows servers:

    After you fix a Windows system vulnerability in the Security Center console, you must restart the server system to validate the fix.

    This applies to all servers that run Windows.

  • Linux servers:
    After you fix a Linux kernel vulnerability in the Security Center console, you must restart the server system to validate the fix. If one of the following conditions is met, you must restart the system after you fix a vulnerability.
    • The server runs Linux and the vulnerability that you fix is a Linux kernel vulnerability.
    • On the Linux Software tab, the vulnerability that you fix is tagged with Restart Required. You can perform the following steps to navigate to the Linux Software tab: Log on to the Security Center console. In the left-side navigation pane, choose Precaution > Vulnerabilities.Restart required

What can I do if Security Center still sends a vulnerability alert to me after I update the kernel?

This issue may occur if the remaining files of the old kernel version exist. If you confirm that the alert is triggered due to the remaining files of the old kernel version, you can ignore this alert or delete the remaining files. To fix this issue, you can perform the following operations:

  1. After the kernel is updated, run the uname -av and cat /proc/version commands to view the current kernel version. Make sure that the current version meets the requirement described in the vulnerability details.
  2. Run the cat /etc/grub.conf command to query the configuration file. Make sure that the current system uses the latest kernel version.
  3. Security Center assesses whether your server contains Linux software vulnerabilities based on the kernel version. If your system contains the Redhat Package Manager (RPM) package of the old kernel version, Security Center will detect it and generate an alert. Make sure that your system does not contain the RPM package of the old kernel version. If your system contains the RPM package of the old kernel version, delete the package.
    Note Before you delete the RPM package of the old kernel version, make sure that the current system uses the latest kernel version. We recommend that you create a snapshot for your system before you delete the RPM package of the old kernel version. The snapshot allows you to recover the system in case of unusual situations.
If you do not want to delete the RPM package of the old kernel version, you can perform the following steps to ignore alerts generated on the old kernel version. Before you ignore the alerts, make sure that the current system uses the latest kernel version.
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Linux Software tab, find the vulnerability that you want to ignore and click the vulnerability name. The details page of the vulnerability appears.
  4. In the Actions column, click the The More icon icon and select Ignore.

What can I do If no update software package is released for a vulnerability?

Perform the following operations based on your requirements:

  • You may receive one of the following messages when you update software to fix a vulnerability:
    Package xxx already installed and latest version
    Nothing to do
    or
    No Packages marked for Update

    In this case, wait until an official update of the software package is available.

    The following software packages do not have available updates:
    • Gnutls
    • Libnl
    • Mariadb
  • After you update the software package to the latest version, the software package may still fail to meet the version requirement described in the Security Center console.

    In this case, check whether the operating system version of your server is supported. For example, starting September 1, 2017, CentOS 6.2 to 6.6 and CentOS 7.1 are no longer supported. We recommend that you ignore this vulnerability in the Security Center console or update the operating system of your server. Even if you ignore the vulnerability, the risk may still exist.

The parameters of Linux software vulnerabilities

You can log on to the Security Center console, choose Precaution > Vulnerabilities, and then click the Linux Software tab to view Linux software vulnerabilities detected on your assets. You can click the name of a specific vulnerability to go to the details page. The following list describes the parameters of Linux software vulnerabilities:
  • Vulnerability

    The name of a Linux software vulnerability notice, which starts with CVE, RHSA, or USN. For example, RHSA-2016: 2972: vim security update.

  • Impact

    The vulnerability impact score, which is based on the open criteria Common Vulnerability Scoring System (CVSS). The score indicates the severity of a vulnerability, which allows you to prioritize the vulnerability.

  • CVE ID

    The CVE ID of a vulnerability. For example, CVE-2016-XXXX. The CVE system provides a reference method for public information-security vulnerabilities and exposures. You can find information about vulnerability fixes in a CVE-compatible database to solve security issues.

  • Priority
    The priority of a vulnerability. Valid values: High, Medium, and Low.Priority
    Note The vulnerability priority in the preceding figure is Medium. You can fix these vulnerabilities later.
    • The following vulnerabilities have the High priority:
      • Vulnerabilities that attackers can exploit to obtain permissions on the operating system of your server.
      • Vulnerabilities that attackers can exploit to obtain sensitive data and cause data breaches.
      • Vulnerabilities that can cause unauthorized access to sensitive data.
      • Vulnerabilities that can cause large-scale impacts.
    • The following vulnerabilities have the Medium priority:
      • Vulnerabilities that attackers can exploit to indirectly obtain permissions on your server and application systems.
      • Vulnerabilities that attackers can exploit to read, write, download, or delete files.
      • Vulnerabilities that cause sensitive data leaks.
      • Vulnerabilities that can cause workload disruption or remote denial-of-service attacks.
    • The following vulnerabilities have the Low priority:
      • Vulnerabilities that affect users during system and user interactions.
      • Vulnerabilities that attackers can exploit to perform unauthorized operations.
      • Vulnerabilities that attackers can exploit after they change on-premises configurations or obtain important information.
      • Vulnerabilities that can cause on-premises denial-of-service attacks.
      • Vulnerabilities that have minor impacts.
  • Impact description

    The information about the current version of the software, the reason why the vulnerability is detected, and the path of the vulnerability program on your server.

    On the details page of a vulnerability, click Details in the Actions column to view the impact description of the vulnerability.Vulnerability details
    The impact description includes the following information:
    • Software: the current version of the software. In the preceding figure, the version of mariadb-libs is 5.5.52-1.el7.
    • Cause: the reason why the vulnerability is detected. In most cases, the reason is that the software is outdated. In the preceding figure, the vulnerability is detected because the version of mariadb-libs is earlier than 1:5.5.56-2.el7.
    • Path: the path of the vulnerability program on your server. In the preceding figure, the path of mariadb-libs is /etc/ld.so.conf.d/mariadb-x86_64.con.
  • Actions
    You can perform the following operations on a detected Linux vulnerability:
    • Fix: Fix the vulnerability.
    • Verify: Check whether the vulnerability is fixed.
    • Ignore: Ignore the vulnerability.

    For more information, see Linux software vulnerabilities.

How do I fix vulnerabilities?

You can use Security Center to detect and automatically fix Linux software vulnerabilities, Windows vulnerabilities, and Web-CMS vulnerabilities. For application vulnerabilities and emergency vulnerabilities, you must manually fix them.

Log on to the Security Center console. In the left-side navigation pane, click Vulnerabilities. On the Vulnerabilities page, find the Linux software vulnerability, Windows vulnerability, or Web-CMS vulnerability that you want to fix and click Fix in the Actions column. You can create a snapshot before you fix a Linux software vulnerability or Windows system vulnerability. After you fix a vulnerability, the status of the vulnerability that requires a system restart changes to Handled (To Be Restarted). You must restart your system as instructed before you check whether the vulnerability is fixed.

For emergency vulnerabilities and application vulnerabilities, you can manually fix them based on the fix suggestions displayed on the vulnerability details page. After you fix a vulnerability, you can check whether the vulnerability is fixed on the Vulnerabilities page.

When I use Security Center to fix multiple vulnerabilities at a time, in what order are the vulnerabilities fixed?

Linux software vulnerabilities and Web-CMS vulnerabilities are fixed based on the order of vulnerability list in the Security Center console. For certain Windows system vulnerabilities, pre-patches are required before Security Center can fix them. Such vulnerabilities are fixed first when multiple Windows system vulnerabilities are fixed. Other vulnerabilities are fixed based on the order of vulnerability list in the Security Center console.

Why do I fail to create a snapshot when I fix a vulnerability? What can I do?

Possible reasons are:
  • You are fixing the vulnerability as a RAM user: If you are fixing the vulnerability as a RAM user that does not have the permissions to create a snapshot, the console prompts that you cannot create a snapshot. We recommend that you use an Alibaba Cloud account to create a snapshot. For more information about RAM users, see Overview of a RAM user.
  • The server is not an Alibaba Cloud server: You can only fix vulnerabilities and create snapshots for Alibaba Cloud servers.

What can I do if Security Center still sends vulnerability alerts to me after I fix vulnerabilities?

This issue occurs because a system restart is required after you fix Linux kernel vulnerabilities. Go to the vulnerability details page and click Restart in the Actions column. After the system is restarted, you can click Verify in the Actions column. If the status of the vulnerability changes to Handled, the vulnerability is fixed.

What can I do if the "An error occurred while obtaining the permission. Check the permission and try again." message appears when I fix a vulnerability?

This issue occurs because your account does not have permissions to manage the file required to fix the vulnerability. We recommend that you find the vulnerability that you want to fix and click the vulnerability name. In the panel that appears, view the details of the vulnerability and check whether the owner of the file is the root user. If the owner is not the root user, you must change the owner to the root user. Then, you can go back to the Security Center console and fix the vulnerability.

When the Security Center agent is disabled or disconnected from Alibaba Cloud, why are the records of the detected vulnerabilities still displayed in the Security Center console?

The records of detected vulnerabilities are retained in the Security Center console even though the Security Center agent is disabled or disconnected from Alibaba Cloud.

After the Security Center agent is disabled or disconnected from Alibaba Cloud for more than three days, all the detected vulnerabilities become invalid. In this case, you cannot perform operations on vulnerabilities. For example, you cannot fix vulnerabilities or delete the records of vulnerabilities.

If you do not renew Security Center within seven days after it expires, your data is released and deleted. Then, the detected vulnerabilities are no longer displayed.

How do I delete a Windows patch from the directory of the Security Center agent?

If you use the Security Center agent to fix a Windows system vulnerability, the Security Center agent automatically downloads, installs, and deletes the patch. If the Security Center agent does not delete the patch three days after the vulnerability is fixed, perform the following steps to manually delete the patch:
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. Optional. Disable self-protection for the Security Center agent.

    If you have not enabled self-protection, skip this step and go to the next step.

    When self-protection is enabled, all process files in the directory of the Security Center agent are protected. In this case, Security Center rejects your requests to delete or download a process file from the directory of the Security Center agent. For more information about self-protection, see Client protection.

  4. Log on to your server as an administrator.
  5. Find the patch and manually delete it.

    The path of the patch is: C:\Program Files (x86)\Alibaba\Aegis\globalcfg\hotfix.

Can Security Center detect Elasticsearch vulnerabilities?

Yes, Security Center can detect Elasticsearch vulnerabilities.

You can perform the following steps: Log on to the Security Center console. In the left-side navigation pane, choose Precaution > Vulnerabilities and click the Application tab. Then, check whether Elasticsearch vulnerabilities exist. For more information about Elasticsearch vulnerabilities and solutions, see [Vulnerability notice] Multiple high-risk vulnerabilities in Elasticsearch.

Note Only Enterprise Edition Security Center supports application vulnerability detection. To use application vulnerability detection, users of Basic Edition, Basic Anti-virus Edition, and Advanced Edition must upgrade Security Center to Enterprise Edition.

How do I handle a connection timeout between my server and the YUM repository of Alibaba Cloud?

If the connection times out, the following error message appears:
[Errno 12] Timeout on http://mirrors.aliyun.com/centos/6/os/x86_64/repodata/repomd.xml: (28, 'connect() timed out!')

Make sure that the DNS settings of your server are correct, and wait a while. If the issue persists, submit aticket to contact after-sales service.

How do I handle the "Invalid token" error message when I fix a vulnerability?

If you receive the Invalid token error message in the Security Center console,
Note you can simultaneously press Ctrl and F5 to refresh the current page.

What can I do if Security Center fails to verify the fix of a system vulnerability?

To handle this issue, perform the following steps:
  1. Check the version of the vulnerability.
  2. Check whether the system uses the YUM repository of Alibaba Cloud.
  3. Check whether you have verified the vulnerability fix after a system update.
    Note You must restart the system after you update the kernel.
  4. Make sure that the software version to which you update is not earlier than the version recommended by Security Center.

If the issue persists, we recommend that you update the operating system.

Can Security Center automatically verify the fix of a vulnerability that requires a system restart?

No, Security Center cannot automatically verify the fix.

If a vulnerability is fixed but requires a system restart to verify the fix, the state of the vulnerability is Handled (To Be Restarted). Security Center scans for vulnerabilities on a daily basis. After you fix vulnerabilities of the preceding type, Security Center no longer detects such vulnerabilities. In this case, Security Center retains the information about these vulnerabilities for three days. Make sure that networks are functioning as expected and no other factors are affecting vulnerability detection. After three days, the information is deleted.

Why does the state of a vulnerability remain unchanged when I verify the vulnerability fix?

After you run the command generated by Security Center to fix a system software vulnerability, the system software is updated. The new software version meets the requirement on the Vulnerabilities page of the Security Center console. However, when you click Verify in the panel that displays the details of the vulnerability, the state of the vulnerability does not change to Fixed.

To handle this issue, perform the following steps:
  • Check the priority levels of vulnerabilities that Security Center detects

    Perform the following steps:

    1. Log on to the Security Center console.
    2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
    3. On the Vulnerabilities page, click Settings in the upper-right corner.
    4. On the Settings page, view Vul scan level.

    If you do not select a specific priority, Security Center does not automatically update the information about vulnerabilities of the priority. You can select priorities based on your requirements.

  • Check whether the version of the Security Center agent is outdated

    If the version of the Security Center agent on your server is outdated, Security Center may not be able to detect vulnerabilities. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.

  • Check whether the Security Center agent is disconnected from Alibaba Cloud

    If the Security Center agent on your server is disconnected from Alibaba Cloud, you cannot verify vulnerability fixes. We recommend that you troubleshoot the issue and ensure that the Security Center agent is connected to Alibaba Cloud. For more information, see Identify why the agent is offline.

Why does Security Center fail to roll back a vulnerability fix?

To handle this issue, perform the following steps:
  1. Make sure that the Security Center agent on your server is connected to Alibaba Cloud. If the Security Center agent is not connected to Alibaba Cloud, troubleshoot the issue. For more information, see Identify why the agent is offline.
  2. Check whether the files related to this vulnerability have already been manually modified or deleted.
    Note To avoid accidental modifications on your files, if the related files are manually modified or deleted after the vulnerability is fixed, Security Center cannot undo the fix.

What can I do if I cannot enable the vulnerability detection feature for a server on the Assets page?

You can choose Vulnerabilities > Settings to configure servers for which vulnerability detection is enabled. In the following figure, "Scan-Disabled: 4" indicates that Security Center cannot detect Linux software vulnerabilities for four servers. To enable Security Center to detect Linux software vulnerabilities for these servers, click Manage.Vulnerability detection disabled

Are my workloads affected when Security Center is scanning for emergency vulnerabilities?

Security Center checks whether your assets contain emergency vulnerabilities based on the preliminary detection principle. Security Center sends one or two TCP request packets to the IP addresses of all your Elastic Compute Service (ECS) or Server Load Balancer (SLB) instances. The packets do not contain any malicious behaviors. The emergency vulnerability detection feature has been tested on millions of IP addresses. Therefore, this feature is highly stable and reliable. However, staging environments cannot cover all scenarios. Therefore, unknown risks may still occur. For example, if the business logic of some websites is vulnerable, one or two TCP requests may cause the server to crash. In this case, your business system may be at risk.

Why are the results different when Security Center scans multiple times for fastjson emergency vulnerabilities?

The detection of fastjson vulnerabilities depends on whether JAR packages are loaded. A web server loads JAR packages in a dynamic mode or a static mode. In dynamic mode, fastjson vulnerabilities can be detected only when JAR packets are running. Therefore, the scan results are different. We recommend that you scan for fastjson vulnerabilities multiple times to improve the accuracy of scan results.

Scan cycles

Security Center can detect and fix vulnerabilities such as Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, emergency vulnerabilities, and application vulnerabilities. The following table lists the default scan cycle for each vulnerability type.

Can Security Center detect system and application vulnerabilities?

Yes, Security Center can detect system and application vulnerabilities.

What can I do if Security Center fails to verify a fixed baseline risk?

To handle this issue, perform the following steps:
  • Check whether the version of the Security Center agent is outdated

    If the version of the Security Center agent on your server is outdated, Security Center may fail to verify a fixed baseline risk. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.

  • Check whether the Security Center agent is connected to Alibaba Cloud

    If the Security Center agent on your server is not connected to Alibaba Cloud, Security Center cannot verify a fixed baseline risk. Make sure that the Security Center agent on your server is connected to Alibaba Cloud. For more information, see Identify why the agent is offline.

What are the differences between baselines and vulnerabilities?

Baselines describe the minimum security requirements for system configurations and management. For example, the following items are considered baselines: service and application configurations, configurations for operating system components, permission settings, and system management rules. The baseline check feature of Security Center provides security checks for your operating systems, databases, software, and containers. This feature supports the following baseline types: weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. In this case, you can improve system security based on the check results and suggestions provided by Security Center. For more information about check items, see Check items.

Vulnerabilities refer to flaws in operating system implementation or security policies. Attackers can exploit vulnerabilities to access the data on your servers or undermine the security of your servers. We recommend that you fix detected vulnerabilities in a timely manner to protect your assets.

The baseline check feature is a value-added service of Security Center. Only users of the Advanced or Enterprise edition can activate and enable this feature. You must upgrade the Basic or Basic Anti-Virus edition to the Advanced or Enterprise edition before you can use the baseline check feature. For more information about upgrades, see Upgrade and downgrade Security Center.