This topic provides answers to some frequently asked questions about vulnerability fixes, baseline checks, and configuration assessment.

How do I manually detect Linux software vulnerabilities on my servers?

You can use command lines to manually detect Linux software vulnerabilities on your servers. For more information, see How do I manually detect Linux software vulnerabilities?

We recommend that you use the feature provided by Security Center to detect Linux software vulnerabilities. This feature automatically detects vulnerabilities in a timely manner on a regular basis.

How do I view the current software version and vulnerability details?

Security Center compares the software version on your server with software version that has Common Vulnerabilities and Exposures (CVE) to determine whether your server contains software vulnerabilities. To view vulnerability details of the current software version, you can use one of the following methods:
  • View the current software version and vulnerability details in the Security Center console

    Log on to the Security Center console. In the left-side navigation pane, choose Precaution > Vulnerabilities. On the Vulnerabilities page, view the system software version and vulnerability details. For more information about the Linux software vulnerabilities, see How do I view the parameters of Linux software vulnerabilities?.

  • View details of the current software version on your server
    You can run a command to view details of the current software version:
    • CentOS

      Run the rpm -qa | grep xxx command. xxx specifies the name of the software package. For example, you can run the rpm -qa | grep bind-libs command to view the version details of the bind-libs software package.

    • Ubuntu and Debian
      Run the dpkg-query -W -f '${Package} -- ${Source}\n' | grep xxx command. xxx specifies the name of the software package. For example, you can run the dpkg-query -W | grep bind-libs command to view the version details of the bind-libs software package.
      Note If the specified software package is not found, run the dpkg-query -W command to view all the software that is installed on your server.
    After you obtain the version details of the software, compare the version details with the details of the Linux software vulnerabilities detected by Security Center. In the details of a vulnerability, Software and Cause indicate the version of the current software and the reason based on which Security Center determines that your server has the vulnerability.
    Note After you update a piece of software, Security Center may collect the remaining files of the old software version and generate a vulnerability alert on the remaining files. In this case, we recommend that you ignore the alert. Also, you can run the yum remove or apt-get remove command to delete the software package of the old version. Before you delete the package, make sure that the old software version is no longer required by your workloads or applications.

How do I update kernel 3.1* to kernel 4.4 on Ubuntu 14.04?

Notice Risks may arise when you update the kernel version. We recommend that you follow the instructions provided in Fix software vulnerabilities.
To update kernel 3.1* to kernel 4.4 on Ubuntu 14.04, perform the following steps:
  1. Run the uname -av command to confirm that the kernel version is 3.1*. Confirm the kernel version
  2. Run the following commands to check whether the latest kernel update package is available:
    apt list | grep linux-image-4.4.0-94-generic
    apt list | grep linux-image-extra-4.4.0-94-generic
  3. If no package is available, run the apt-get update command to obtain the latest update package.
  4. Run the following commands to install the latest update package:
    apt-get update && apt-get install linux-image-4.4.0-94-generic
    apt-get update && apt-get install linux-image-extra-4.4.0-94-generic
  5. After the update package is installed, restart the server to load the kernel.
  6. After the server is restarted, run the following commands to verify the update:
    • Run the uname -av command to query the current kernel version. Query the current kernel version
    • Run the dpkg -l | grep linux-image command to query the details of the current kernel. Query the details of the current kernel

Do I need to restart my server after I fix a vulnerability?

  • Windows servers:

    After you fix a Windows system vulnerability in the Security Center console, you must restart your server to validate the fix.

    This applies to all servers that run Windows.

  • Linux servers:
    After you fix a Linux kernel vulnerability in the Security Center console, you must restart your server to validate the fix. This applies if one of the following conditions are met:
    • Your server runs Linux, and the vulnerability that you fix is a Linux kernel vulnerability.
    • On the Linux Software tab, the vulnerability that you fix is tagged with Restart Required. You can perform the following steps to go to the Linux Software tab: Log on to the Security Center console. In the left-side navigation pane, choose Precaution > Vulnerabilities. Restart required

What do I do if Security Center continues to send a vulnerability alert to me after I update the kernel?

This issue may occur if the remaining files of the old kernel version exist. If you confirm that the alert is triggered due to the remaining files of the old kernel version, you can ignore this alert or delete the remaining files. To fix this issue, you can perform the following steps:

  1. After the kernel is updated, run the uname -av and cat /proc/version commands to view the current kernel version. Make sure that the current kernel version meets the requirement that is described in the vulnerability details.
  2. Run the cat /etc/grub.conf command to query the configuration file. Make sure that the current system uses the latest kernel version.
  3. Security Center determines whether your server contains Linux software vulnerabilities based on the kernel version. If your system contains the Redhat Package Manager (RPM) package of the old kernel version, the package can be detected by Security Center, which then generates an alert. Make sure that your system does not contain the RPM package of the old kernel version. If your system contains the RPM package of the old kernel version, delete the package.
    Note Before you delete the RPM package of the old kernel version, make sure that the current system uses the latest kernel version. We recommend that you create a snapshot for your system before you delete the RPM package of the old kernel version. If exceptions occur, you can use the snapshot to restore your system.
If you do not want to delete the RPM package of the old kernel version, you can perform the following steps to ignore the alerts that are generated on the old kernel version. Before you ignore the alerts, make sure that the current system uses the latest kernel version.
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. Click the Linux Software tab, find the required vulnerability, and then click the vulnerability name. The details page of the vulnerability appears.
  4. In the Actions column, click the The More icon icon and select Ignore.

What do I do If no update is released for the software package that has a vulnerability?

You can take different countermeasures based on the following scenarios:

  • You may receive one of the following messages when you update software to fix a vulnerability:
    Package xxx already installed and latest version
    Nothing to do
    or
    No Packages marked for Update

    In this case, wait until an official update of the software package is available.

    The following software packages do not have available updates:
    • Gnutls
    • Libnl
    • MariaDB
  • After you update the software package to the latest version, the software package may still fail to meet the version requirement that is described in the Security Center console.

    In this case, check whether the operating system version of your server is supported. For example, CentOS 6.2 to 6.6 and CentOS 7.1 are no longer supported since September 1, 2017. If your operating system version is not supported, we recommend that you ignore the vulnerability in the Security Center console or update the operating system of your server. If you ignore the vulnerability, the risk may still exist.

How do I view the parameters of Linux software vulnerabilities?

You can log on to the Security Center console, choose Precaution > Vulnerabilities, and then click the Linux Software tab to view Linux software vulnerabilities that are detected on your assets. You can click the name of a specific vulnerability to go to the details page. The following list describes the parameters of Linux software vulnerabilities:
  • Vulnerability
    The notice name of a Linux software vulnerability. The name starts with CVE, RHSA, or USN. Example: RHSA-2016:2972: vim security update. Vulnerability
  • Impact

    The vulnerability impact score, which is based on the open criteria Common Vulnerability Scoring System (CVSS). The score indicates the severity of a vulnerability, which allows you to prioritize the vulnerability.

  • CVE ID

    The CVE ID of a vulnerability. Example: CVE-2016-XXXX. The CVE system provides a reference method for public information-security vulnerabilities and exposures. You can query the information about vulnerability fixes from all databases that are compatible with CVE to solve security issues.

  • Priority
    The priority of a vulnerability. Valid values: High, Medium, and Low. Priority
    Note The vulnerability priority in the preceding figure is Medium. You can fix the vulnerabilities later.
    • The following vulnerabilities have the High priority:
      • Vulnerabilities that attackers can exploit to obtain permissions on the operating system of your server.
      • Vulnerabilities that attackers can exploit to obtain sensitive data and cause data leaks.
      • Vulnerabilities that can cause unauthorized access to sensitive data.
      • Vulnerabilities that can cause large-scale impacts.
    • The following vulnerabilities have the Medium priority:
      • Vulnerabilities that attackers can exploit to indirectly obtain permissions on the operating system of your server and applications.
      • Vulnerabilities that attackers can exploit to read, write, download, or delete files.
      • Vulnerabilities that can cause sensitive data leaks.
      • Vulnerabilities that can cause workload disruption or remote denial-of-service attacks.
    • The following vulnerabilities have the Low priority:
      • Vulnerabilities that affect users only during system and user interactions.
      • Vulnerabilities that attackers can exploit to perform unauthorized operations.
      • Vulnerabilities that attackers can exploit after the attackers change the configurations of on-premises machines or obtain important information.
      • Vulnerabilities that can cause on-premises denial-of-service attacks.
      • Vulnerabilities that have minor impacts.
  • Impact description

    The information about the current version of the software, the reason based on which the vulnerability is detected, and the path of the vulnerability program on your server.

    On the details page of a vulnerability, you can click Details in the Actions column to view the impact description of the vulnerability. Vulnerability details
    The impact description includes the following items:
    • Software: the current version of the software. In the preceding figure, the version of mariadb-libs is 5.5.52-1.el7.
    • Cause: the reason based on which the vulnerability is detected. In most scenarios, the reason is that the software is outdated. In the preceding figure, the vulnerability is detected because the version of mariadb-libs is earlier than 1:5.5.56-2.el7.
    • Path: the path of the vulnerability program on your server. In the preceding figure, the path of mariadb-libs is /etc/ld.so.conf.d/mariadb-x86_64.con.
  • Actions
    You can perform the following operations on a detected Linux software vulnerability:
    • Fix: Fix the vulnerability.
    • Verify: Check whether the vulnerability is fixed.
    • Ignore: Ignore the vulnerability.

    For more information, see View and handle Linux software vulnerabilities.

How do I fix vulnerabilities?

Security Center can detect Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, application vulnerabilities, and urgent vulnerabilities. However, Security Center can fix only Linux software vulnerabilities, Windows system vulnerabilities, and Web-CMS vulnerabilities.

Log on to the Security Center console. In the left-side navigation pane, click Vulnerabilities. On the Vulnerabilities page, find the Linux software vulnerability, Windows system vulnerability, or Web-CMS vulnerability that you want to fix and click Fix in the Actions column. You can create a snapshot before you fix a Linux software vulnerability or Windows system vulnerability. After you fix a vulnerability, the status of the vulnerability that requires a system restart changes to Handled (To Be Restarted). You must restart your server as instructed before you check whether the vulnerability is fixed.

For urgent vulnerabilities and application vulnerabilities, you can manually fix the vulnerabilities based on the fix suggestions that are provided on the vulnerability details page. After you fix a vulnerability, you can check whether the vulnerability is fixed on the Vulnerabilities page.

In what order are vulnerabilities fixed if I fix multiple vulnerabilities at the same time in the Security Center console?

Linux software vulnerabilities and Web-CMS vulnerabilities are fixed based on the order of vulnerabilities on the vulnerability list in the Security Center console. For specific Windows system vulnerabilities, pre-patches are required before Security Center can fix the vulnerabilities. When multiple Windows system vulnerabilities are fixed, vulnerabilities that require pre-patches are fixed before other vulnerabilities. Other vulnerabilities are fixed based on the order of vulnerabilities on the vulnerability list in the Security Center console.

I fail to create a snapshot when I fix a vulnerability. Why? What do I do?

When you fix a vulnerability, you may fail to create a snapshot due to the following reasons:
  • A RAM user is used to fix the vulnerability: If the RAM user does not have the permissions to create a snapshot, the Security Center console prompts that you cannot create a snapshot. We recommend that you use an Alibaba Cloud account to create a snapshot. For more information about RAM users, see Overview of a RAM user.
  • Your server is not deployed on Alibaba Cloud: You can create snapshots to fix vulnerabilities only when your server is deployed on Alibaba Cloud.

Why does Security Center continue to send alerts to me after I fix vulnerabilities? What do I do?

This issue occurs because your server is not restarted and the restart is required after you fix vulnerabilities. The vulnerabilities refer to Linux kernel vulnerabilities in this situation. To restart your server, go to the vulnerability details page and click Restart in the Actions column. After your server is restarted, you can click Verify in the Actions column. If the status of the vulnerability changes to Handled, the vulnerability is fixed.

What do I do if the "An error occurred while obtaining the permission. Check the permission and try again." message appears when I fix a vulnerability?

This issue occurs because your account does not have permissions to manage the file required to fix the vulnerability. We recommend that you find the vulnerability that you want to fix in the Security Center console and click the vulnerability name. In the panel that appears, view the details of the vulnerability and check whether the owner of the file is the root user. If the owner is not the root user, you must change the owner to the root user. Then, you can go back to the Security Center console to fix the vulnerability.

Why are the records of the detected vulnerabilities still displayed in the Security Center console after the Security Center agent is disabled or disconnected from Alibaba Cloud?

The records of detected vulnerabilities are displayed in the Security Center console after the Security Center agent is disabled or disconnected from Alibaba Cloud.

After the Security Center agent is disabled or disconnected from Alibaba Cloud for more than three days, all detected vulnerabilities become invalid. In this case, you cannot perform operations on the vulnerabilities. For example, you cannot fix the vulnerabilities or delete the records of the vulnerabilities.

If you do not renew Security Center within seven days after Security Center expires, your data is released and deleted, and the detected vulnerabilities are no longer displayed.

How do I delete a Windows patch from the directory of the Security Center agent?

If you use the Security Center agent to fix a Windows system vulnerability, the Security Center agent automatically downloads, installs, and deletes the patch. If the Security Center agent does not delete the patch three days after the vulnerability is fixed, perform the following steps to manually delete the patch:
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. Optional. Disable self-protection for the Security Center agent.

    If self-protection is never enabled, skip this step and go to the next step.

    If self-protection is enabled, all process files in the directory of the Security Center agent are protected. In this case, Security Center rejects your requests to delete or download a process file from the directory of the Security Center agent. For more information about self-protection, see Use proactive defense.

  4. Log on to your server as an administrator.
  5. Find the patch and manually delete the patch.

    The path of the patch is C:\Program Files (x86)\Alibaba\Aegis\globalcfg\hotfix.

Can Security Center detect Elasticsearch vulnerabilities?

Yes, Security Center can detect Elasticsearch vulnerabilities.

You can perform the following steps: Log on to the Security Center console. In the left-side navigation pane, choose Precaution > Vulnerabilities and click the Application tab. Then, check whether Elasticsearch vulnerabilities exist. For more information about Elasticsearch vulnerabilities and solutions, see [Vulnerability notice] Multiple high-risk vulnerabilities in Elasticsearch.

Note Only Security Center Enterprise supports application vulnerability detection. To use application vulnerability detection, users of the Basic, Basic Anti-Virus, or Advanced edition must upgrade Security Center to the Enterprise edition.

How do I handle a connection timeout between my server and the YUM repository of Alibaba Cloud?

If a connection times out, the following error message appears:
[Errno 12] Timeout on http://mirrors.aliyun.com/centos/6/os/x86_64/repodata/repomd.xml: (28, 'connect() timed out!')

Make sure that the DNS settings of your server are correct, and wait a while. If the issue persists, submit a ticket to contact after-sales service.

The "Invalid token" error message appears when I fix a vulnerability. What do I do?

If you receive the Invalid token error message in the Security Center console, you can refresh the current page and log on to the console again.
Note You can press Ctrl+F5 to forcibly refresh the current page.

What do I do if Security Center fails to verify the fix of a system vulnerability?

To fix this issue, perform the following steps:
  1. Check the version information of the vulnerability.
  2. Check whether the system uses the YUM repository of Alibaba Cloud.
  3. Check whether the fix is verified after a system update.
    Note You must restart the system after you update the kernel.
  4. Check whether the destination version of the software update is earlier than the version recommended by Security Center. A later version is required.

If the issue persists, we recommend that you update the operating system.

Can Security Center automatically verify the fix of a vulnerability that requires a system restart?

No, Security Center cannot automatically verify the fix of a vulnerability that requires a system restart.

If a vulnerability is fixed and a system restart is required to verify the fix, the state of the vulnerability is Handled (To Be Restarted). Security Center scans for vulnerabilities on a daily basis. After you fix vulnerabilities of this type, Security Center no longer detects these vulnerabilities. In this case, Security Center retains the information about these vulnerabilities for three days. Make sure that networks can work as expected and no other factors can affect vulnerability detection. After three days, the information is deleted.

Why does the state of a vulnerability remain unchanged when I verify the vulnerability fix?

After you run the command generated by Security Center to fix a Linux software vulnerability, the Linux software is updated. The new software version meets the requirement described on the Vulnerabilities page of the Security Center console. However, when you click Verify in the panel that displays the details of the vulnerability, the state of the vulnerability does not change to Fixed.

To handle this issue, perform the following steps:
  • Check the priorities of the vulnerabilities that are detected by Security Center

    Perform the following steps:

    1. Log on to the Security Center console.
    2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
    3. On the Vulnerabilities page, click Settings in the upper-right corner.
    4. In the Settings panel, view Vul scan level.

    If you do not select a specific priority, Security Center does not automatically update the information about the vulnerabilities that have the priority. You can select priorities based on your business requirements.

  • Check whether the version of the Security Center agent is outdated

    If the version of the Security Center agent on your server is outdated, Security Center may not be able to detect vulnerabilities. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.

  • Check whether the Security Center agent is disconnected from Alibaba Cloud

    If the Security Center agent on your server is disconnected from Alibaba Cloud, you cannot verify the fix for the vulnerability. We recommend that you troubleshoot the issue and ensure that the Security Center agent is connected to Alibaba Cloud. For more information, see Identify why the agent is offline.

Why does Security Center fail to roll back a fix for a vulnerability?

To handle this issue, perform the following steps:
  1. Make sure that the Security Center agent on your server is connected to Alibaba Cloud. If the Security Center agent is disconnected from Alibaba Cloud, troubleshoot the issue. For more information, see Identify why the agent is offline.
  2. Check whether the files related to this vulnerability are manually modified or deleted.
    Note If the related files are manually modified or deleted after the vulnerability is fixed, Security Center cannot roll back the fix.

What do I do if I cannot enable the vulnerability detection feature for a server on the Assets page?

In the upper-right corner of the Vulnerabilities page, click Settings. In the Settings panel, you can select the servers for which you want to enable the vulnerability detection feature. In the following figure, "Scan-Disabled: 4" indicates that Security Center cannot detect Linux software vulnerabilities for four servers. To enable Security Center to detect Linux software vulnerabilities for the servers, click Manage. Vulnerability detection disabled

Are my workloads affected when Security Center is scanning for urgent vulnerabilities?

Security Center checks whether your assets contain urgent vulnerabilities based on the preliminary detection principle. Security Center sends one or two TCP request packets to the IP addresses of all your Elastic Compute Service (ECS) or Server Load Balancer (SLB) instances. The packets do not contain malicious behavior. The feature of urgent vulnerability detection was tested on millions of IP addresses and showed highly stable and reliable performance. However, test environments cannot cover all scenarios. Therefore, unknown risks may still occur. For example, if the business logic of some websites is vulnerable, one or two TCP request packets may cause the server to fail. In this scenario, your business system may be at risk.

Why are the results different when Security Center scans multiple times for fastjson urgent vulnerabilities?

Whether fastjson vulnerabilities can be detected is based on whether JAR packages are loaded. A web server loads JAR packages in dynamic mode or static mode. In dynamic mode, fastjson vulnerabilities can be detected only if JAR packets are running. Therefore, the scan results are different. We recommend that you scan for fastjson vulnerabilities multiple times to improve the accuracy of scan results.

How often does Security Center detect vulnerabilities?

Security Center can detect vulnerabilities such as Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, urgent vulnerabilities, and application vulnerabilities. You can fix the detected vulnerabilities. The following table lists the default scan cycle for each vulnerability type.

Can Security Center detect system- and application-layer vulnerabilities?

Yes, Security Center can detect system- and application-layer vulnerabilities.

What do I do if Security Center fails to verify a fixed baseline check risk?

To handle this issue, perform the following steps:
  • Check whether the version of the Security Center agent is outdated

    If the version of the Security Center agent on your server is outdated, Security Center may fail to verify a fixed baseline risk. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.

  • Check whether the Security Center agent is connected to Alibaba Cloud

    If the Security Center agent on your server is disconnected from Alibaba Cloud, Security Center cannot verify a fixed baseline risk. Make sure that the Security Center agent on your server is connected to Alibaba Cloud. For more information, see Identify why the agent is offline.

What are the differences between baselines and vulnerabilities?

Baselines describe the minimum security requirements for system configurations and management. Baselines include service and application configurations, configurations for operating system components, permission settings, and system management rules. The baseline check feature of Security Center provides security checks for your operating systems, databases, software, and containers. This feature supports the following baseline types: weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. This way, you can improve system security based on the check results and suggestions provided by Security Center. For more information about check items, see Check items.

Vulnerabilities refer to flaws in operating system implementation or security policies. Attackers can exploit vulnerabilities to access the data on your servers or undermine the security of your servers. We recommend that you fix detected vulnerabilities at the earliest opportunity to protect your assets.

The baseline check feature is a value-added service of Security Center. Only users of the Advanced or Enterprise edition can activate and enable this feature. You must upgrade the Basic or Basic Anti-Virus edition to the Advanced or Enterprise edition before you can use the baseline check feature. For more information about upgrades, see Upgrade and downgrade Security Center.