This topic answers the frequently asked questions about vulnerability fixes, baseline checks, and cloud service configuration assessment.

How do I manually scan for Linux software vulnerabilities?

For more information, see How to manually scan for Linux software vulnerabilities.

We recommend that you use Security Center to regularly run scheduled scan tasks to detect system software vulnerabilities on your servers.

How can I view the current software version and the vulnerability details?

Security Center assesses whether your server contains software vulnerabilities by comparing the version of the system software with that of Common Vulnerabilities and Exposures (CVE) vulnerabilities. To view vulnerability details of the current software version, choose one of the following methods:
  • View the current software versions and vulnerability details in the Security Center console

    You can log on to Security Center console, and choose Precaution > Vulnerabilities to view the system software versions and vulnerability details. For more information about the parameters of system software vulnerabilities, see The parameters of Linux software vulnerabilities.

  • View details of the current software version on your server
    You can view details of the current software version on your server:
    • CentOS

      Run the rpm -qa | grep xxx command. xxx refers to the software package name. For example, you can run the rpm -qa | grep bind-libs command to view the version details of the bind-libs software.

    • Ubuntu and Debian
      Run the dpkg-query -W -f '${Package} -- ${Source}\n' | grep xxx command. xxx refers to the software package name. For example, you can run the dpkg-query -W | grep bind-libs command to view the version details of the bind-libs software.
      Note If the specified software package is not found, run the dpkg-query -W command to view all the software installed on your server.
    After you obtain the software version details, compare it with the details of the system software vulnerabilities detected by Security Center. The Software and Cause parameters respectively represent the version of the current software and why the vulnerability is matched.
    Note After you update a piece of software, Security Center may collect the remaining files of the old software version and generate a vulnerability alert on the remaining files. In this case, we recommend that you ignore this alert. You can run the yum remove or apt-get remove command to delete the old software package. Before you delete it, make sure that the old software version is no longer required by any workload or application.

How do I update kernel 3.1* to kernel 4.4 in Ubuntu 14.04?

Notice Risks may occur when you update the kernel. We strongly recommend that you follow Fix software vulnerabilities to update the kernel.
To update kernel 3.1* to kernel 4.4 in Ubuntu 14.04, perform the following steps:
  1. Run the uname -av command to check whether the kernel version of the current server is 3.1*.Confirm the kernel version
  2. Run the following commands to check whether the latest kernel update package is available.
    apt list | grep linux-image-4.4.0-94-generic
    apt list | grep linux-image-extra-4.4.0-94-generic
  3. If no update package is available, you can run the apt-get update command to obtain the latest update package.
  4. Run the following commands to update the kernel:
    apt-get update && apt-get install linux-image-4.4.0-94-generic
    apt-get update && apt-get install linux-image-extra-4.4.0-94-generic
  5. After the update package is installed, restart the server to load the kernel.
  6. After the server is restarted, run the following commands to verify the update:
    • Run the uname -av command to view the current kernel version.View the current kernel version
    • Run the dpkg -l | grep linux-image command to view the current kernel details.View the current kernel details

Is a system restart required after I fix a vulnerability?

After you fix a Linux kernel vulnerability in the Security Center console, you must restart the server system before the fix can take effect.

If one of the following conditions is met, you must restart the system after you fix a vulnerability.
  • The target server runs Linux and the vulnerability to be fixed is a Linux kernel vulnerability.
  • In the Security Center console, on the Linux Software tab of the Precaution > Vulnerabilities page,the target vulnerability contains the Restart Required tag.Restart required

Why does Security Center still send a vulnerability alert to me after I update the kernel?

This issue may occur due to the remaining files of the old kernel version. If you confirm that the alert is triggered on the remaining files of the old kernel version, you can ignore this alert or delete the remaining files. To handle this issue, perform the following steps:

  1. After the kernel is updated, run the uname -av and cat /proc/version commands to view the current kernel version. Make sure that the current version meets the requirement as described in the vulnerability details.
  2. Run the cat /etc/grub.conf command to view the configuration file. Make sure that the current system uses the latest kernel version.
  3. Security Center assesses whether your server contains Linux software vulnerabilities based on the kernel version. Make sure that your system does not contain the Redhat Package Manager (RPM) package of the old kernel version. If your system contains the RPM package of the old kernel version, you can delete it.
    Note Before you delete the RPM package of the old kernel version, make sure that the current system uses the latest kernel version. We strongly recommend that you create a snapshot of your system before you delete the RPM package of the old kernel version. A snapshot allows you to recover the system if needed.
If you do not want to delete the RPM package of the old kernel version, you can take the following steps to ignore alerts generated on the old kernel version. Before you ignore the alerts, make sure that the current system uses the latest kernel version.
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Linux Software tab, find the target vulnerability and click the name to go to the Detail tab.
  4. Click More Operations in the Actions column, and click Ignore.

What should I do if I receive messages that indicate updates are unavailable for some vulnerabilities?

  • You may receive one of the following messages when you update software to fix a vulnerability:
    Package xxx already installed and latest version
    Nothing to do
    or
    No Packages marked for Update

    In this case, wait until an official update of the software is available.

    Currently, the following software packages do not have available updates:
    • Gnutls
    • Libnl
    • Mariadb
  • After you update the software to the latest version, the software may still fail to meet the version requirement as described in the Security Center console.

    In this case, check whether the operating system version of your server is supported by Security Center. For example, as of September 1, 2017, CentOS 6.2 to 6.6 and CentOS 7.1 are no longer supported. In this case, we recommend that you ignore this vulnerability alert in the Security Center console or update the operating system version of the server. If you ignore this vulnerability alert, the risk may still exist.

The parameters of Linux software vulnerabilities

You can log on to the Security Center console, choose Precaution > Vulnerabilities, and then click the Linux Software tab to view Linux software vulnerabilities detected on your assets. You can click the name of a target vulnerability to go to the details page. The following content describes parameters of Linux software vulnerabilities:
  • Vul Notice
    The name of a Linux software vulnerability notice, which typically starts with CVE, RHSA, or USN. For example, RHSA-2016: 2972: vim security update.Vul Notice
  • Impact

    A vulnerability impact, also known as the CVSS score, is a score based on the open criteria: Common Vulnerability Scoring System (CVSS). The CVSS score indicates the severity of a vulnerability, which allows you to prioritize the vulnerability.

  • CVE ID

    The Common Vulnerabilities and Exposures ID (CVE ID) of a vulnerability. For example, CVE-2016-XXXX. The CVE system provides a reference-method for publicly known information-security vulnerabilities and exposures. You can find information about vulnerability fixes in an CVE-compatible database to help you solve security issues.

  • Priority
    The priority of a vulnerability, including: high, medium, and low.Priority
    Note The vulnerability priority in the preceding figure is Medium. You can fix these vulnerabilities later.
    • High priority vulnerabilities include:
      • Vulnerabilities that attackers can exploit to directly obtain permissions to the operating system of your server.
      • Vulnerabilities that attackers can exploit to directly obtain sensitive data and cause data breaches.
      • Vulnerabilities that attackers can exploit to access unauthorized and sensitive information.
      • Vulnerabilities that can cause large-scale impacts.
    • Medium priority vulnerabilities include:
      • Vulnerabilities that attackers can exploit to indirectly obtain permissions to your server and application systems.
      • Vulnerabilities that attackers can exploit to read, download, write, or delete any files.
      • Vulnerabilities that can cause sensitive data leaks.
      • Vulnerabilities that can cause workload disruption or remote denial of service.
    • Low priority vulnerabilities include:
      • Vulnerabilities that impact users during system and user interactions.
      • Vulnerabilities that attackers can exploit to perform unauthorized activities.
      • Vulnerabilities that can be exploited after attackers change local configurations or obtain important information.
      • Vulnerabilities that can cause local denial of service (DoS).
      • Vulnerabilities that have minor impacts.
  • Impact description

    Provides information about the current software version, the cause, and the path of a vulnerability.

    On the details page of a vulnerability, click Details in the Actions column to view the impact description of the vulnerability.Vulnerability details
    The impact description includes the following information:
    • Software: the current version of the software. In the preceding figure, the version of mariadb-libs is 5.5.52-1.el7.
    • Cause: explains why the vulnerability is detected. Typically, it is because the current version of the software is outdated. In the preceding figure, the vulnerability is detected because the version of mariadb-libs is earlier than 1:5. 5.56-2.el7.
    • Path: the path of the vulnerability program on your server. In the preceding figure, the path of mariadb-libs is /etc/ld.so.conf.d/mariadb-x86_64.con.
  • Actions
    You can perform the following actions on a detected Linux vulnerability:
    • Fix: fixes the vulnerability.
    • Verify: verifies whether the vulnerability is fixed.
    • Ignore: ignores the vulnerability.

    For more information, see Linux software vulnerabilities.

Can Security Center detect Elasticsearch vulnerabilities?

Yes.

You can log on to Security Center console, choose Precaution > Vulnerabilities > Application to view whether Elasticsearch vulnerabilities are detected. For more information about Elasticsearch vulnerabilities and solutions, see.

Note Only the Enterprise edition of Security Center supports application vulnerability detection. Users of the Basic and Advanced editions must upgrade Security Center to the Enterprise edition.

How do I handle a connection timeout between my server and the yum repository of Alibaba Cloud?

If the connection times out, the following error message is displayed:
[Errno 12] Timeout on http://mirrors.aliyun.com/centos/6/os/x86_64/repodata/repomd.xml: (28, 'connect() timed out!')

In this case, make sure that the DNS settings of your server are correct, and wait a while. If the issue persists, submit a ticket for after-sales service.

How do I handle the "Invalid token" error when I fix a vulnerability?

If you receive the Invalid token message in the Security Center console, you can refresh the page, and log on to the Security Center console again.
Note You can press Ctrl and F5 at the same time to refresh the current page.

What should I do if Security Center fails to verify a system vulnerability fix?

To handle this issue, perform the following steps:
  1. Check the server kernel version.
  2. Check whether the system uses the yum repository of Alibaba Cloud.
  3. Check whether you have verified the vulnerability fix after a kernel update.
    Note You must restart the system after a kernel update.
  4. Make sure that the target software version is not earlier than the version recommended by Security Center.

If the issue persists, we recommend that you update the operating system.

Why does the status of a vulnerability remain unchanged when I verify the vulnerability fix?

After you run the command generated by Security Center to fix a system software vulnerability, the system software is updated. The new software version meets the requirement of Security Center. However, when you Verify the fixed vulnerability in the Security Center console, the vulnerability status does not change to Fixed.

To handle this issue, perform the following steps:
  • Check vulnerability scan levels

    To check vulnerability scan levels, perform the following steps:

    1. Log on to the Security Center console.
    2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
    3. On the Vulnerabilities page, click Settings in the upper-right corner.
    4. On the Settings page, view Vul scan level.

    If the scan level is not selected, Security Center does not automatically update the information about vulnerabilities of the same priority. You can select scan levels as needed.

  • Check whether the version of the Security Center agent is outdated.

    If the version of the Security Center agent on your server is outdated, vulnerability detection may not be supported. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.

  • Check whether the Security Center agent is offline.

    If the Security Center agent on your server is offline, you cannot verify vulnerability fixes. We recommend that you troubleshoot the causes and make sure that the Security Center agent is online. For more information, see Identify why the agent is offline.

Why does Security Center fail to undo a vulnerability fix?

To handle this issue, perform the following steps:
  1. Make sure that the Security Center agent on your server is online. If the Security Center agent is offline, troubleshoot the causes. For more information, see Identify why the agent is offline.
  2. Check whether the files related to this vulnerability have already been manually modified or deleted.
    Note To avoid accidental modifications on your files, if the related files have been manually modified or deleted after the vulnerability is fixed, Security Center cannot undo the fix.

Scan cycle

Security Center can detect and fix vulnerabilities such as Linux software vulnerabilities, Windows vulnerabilities, web CMS vulnerabilities, application vulnerabilities, and urgent vulnerabilities. The following table lists the default scan cycle for each vulnerability type.

Can Security Center detect system and application vulnerabilities?

Yes.

How is real-time vulnerability scan implemented?

Security Center collects new URLs in your assets on a daily basis, and scans these URLs in the early morning. Security Center also checks whether detected vulnerabilities have been fixed. The URLs are collected in real time and scanned in the early morning.

What should I do if Security Center fails to verify a fixed baseline check risk?

To handle this issue, perform the following steps:
  • Check whether the version of the Security Center agent is outdated.

    If the version of the Security Center agent on your server is outdated, Security Center may fail to verify a fixed baseline check risk. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.

  • Check whether the Security Center agent is offline.

    If the Security Center agent on your server is offline, Security Center will fail to verify a fixed baseline check risk. Make sure that the Security Center agent on your server is online. For more information, see Identify why the agent is offline.