This topic provides answers to some commonly asked questions about vulnerability fixes, baseline checks, and cloud service configuration assessment.
- Questions about Linux software vulnerabilities
- How do I manually detect Linux software vulnerabilities on my servers?
- How do I view the current software version and vulnerability details?
- How do I update kernel 3.1* to kernel 4.4 on Ubuntu 14.04?
- Is a system restart required after I fix a vulnerability?
- What can I do if Security Center still sends a vulnerability alert to me after I update the kernel?
- What can I do If no update software package is released for a vulnerability?
- The parameters of Linux software vulnerabilities
- Questions about vulnerability fixes
- How do I fix vulnerabilities?
- When I use Security Center to fix multiple vulnerabilities at a time, in what order are the vulnerabilities fixed?
- Why do I fail to create a snapshot when I fix a vulnerability? What can I do?
- What can I do if Security Center still sends vulnerability alerts to me after I fix vulnerabilities?
- What can I do if the "An error occurred while obtaining the permission. Check the permission and try again." message appears when I fix a vulnerability?
- When the Security Center agent is disabled or disconnected from Alibaba Cloud, why are the records of the detected vulnerabilities still displayed in the Security Center console?
- How do I delete a Windows patch from the directory of the Security Center agent?
- Can Security Center detect Elasticsearch vulnerabilities?
- How do I handle a connection timeout between my server and the YUM repository of Alibaba Cloud?
- How do I handle the "Invalid token" error message when I fix a vulnerability?
- What can I do if Security Center fails to verify the fix of a system vulnerability?
- Can Security Center automatically verify the fix of a vulnerability that requires a system restart?
- Why does the state of a vulnerability remain unchanged when I verify the vulnerability fix?
- Why does Security Center fail to roll back a vulnerability fix?
- Questions about vulnerability scans
- What can I do if I cannot enable the vulnerability detection feature for a server on the Assets page?
- Are my workloads affected when Security Center is scanning for emergency vulnerabilities?
- Why are the results different when Security Center scans multiple times for fastjson emergency vulnerabilities?
- Scan cycles
- Can Security Center detect system and application vulnerabilities?
- Questions about baseline checks
How do I manually detect Linux software vulnerabilities on my servers?
You can manually detect Linux software vulnerabilities on your servers by using command lines. For more information, see How do I manually detect Linux software vulnerabilities?
We recommend that you use the detection feature that is provided by Security Center to detect Linux software vulnerabilities. This feature automatically detects vulnerabilities in a timely manner on a regular basis.
How do I view the current software version and vulnerability details?
- View the current software version and vulnerability details in the Security Center
console
Log on to the Security Center console. In the left-side navigation pane, choose . On the Vulnerabilities page, view the system software version and vulnerability details. For more information about the system software vulnerabilities, see The parameters of Linux software vulnerabilities.
- View details of the current software version on your serverYou can also run a command to view details of the current software version:
- CentOS
Run the
rpm -qa | grep xxx
command.xxx
specifies the name of the software package. For example, you can run therpm -qa | grep bind-libs
command to view the version details of thebind-libs
software package. - Ubuntu and DebianRun the
dpkg-query -W -f '${Package} -- ${Source}\n' | grep xxx
command.xxx
specifies the name of the software package. For example, you can run thedpkg-query -W | grep bind-libs
command to view the version details of software packagebind-libs
.Note If the specified software package is not found, run thedpkg-query -W
command to view all the software installed on your server.
After you obtain the version details of the software, compare it with the details of the system software vulnerabilities that are detected by Security Center. In the details of a vulnerability, Software and Cause indicate the version of the current software and the reason why Security Center determines that your server has the vulnerability.Note After you update a piece of software, Security Center may collect the remaining files of the old software version and generate a vulnerability alert on the remaining files. In this case, we recommend that you ignore this alert. You can run theyum remove
orapt-get remove
command to delete the old software package. Before you delete the package, make sure that the old software version is no longer required by any workload or application. - CentOS
How do I update kernel 3.1* to kernel 4.4 on Ubuntu 14.04?
- Run the
uname -av
command to check whether the kernel version is 3.1*. - Run the following commands to check whether the latest kernel update package is available:
apt list | grep linux-image-4.4.0-94-generic apt list | grep linux-image-extra-4.4.0-94-generic
- If no update package is available, run the
apt-get update
command to obtain the latest update package. - Run the following commands to install the update package:
apt-get update && apt-get install linux-image-4.4.0-94-generic apt-get update && apt-get install linux-image-extra-4.4.0-94-generic
- After the update package is installed, restart the server to load the kernel.
- After the server is restarted, run the following commands to verify the update:
- Run the
uname -av
command to query the current kernel version. - Run the
dpkg -l | grep linux-image
command to query the details of the current kernel.
- Run the
Is a system restart required after I fix a vulnerability?
- Windows servers:
After you fix a Windows system vulnerability in the Security Center console, you must restart the server system to validate the fix.
This applies to all servers that run Windows.
- Linux servers:
After you fix a Linux kernel vulnerability in the Security Center console, you must restart the server system to validate the fix. If one of the following conditions is met, you must restart the system after you fix a vulnerability.
- The server runs Linux and the vulnerability that you fix is a Linux kernel vulnerability.
- On the Linux Software tab, the vulnerability that you fix is tagged with Restart Required. You can perform the following steps to navigate to the Linux Software tab: Log on
to the Security Center console. In the left-side navigation pane, choose .
What can I do if Security Center still sends a vulnerability alert to me after I update the kernel?
This issue may occur if the remaining files of the old kernel version exist. If you confirm that the alert is triggered due to the remaining files of the old kernel version, you can ignore this alert or delete the remaining files. To fix this issue, you can perform the following operations:
- After the kernel is updated, run the
uname -av
andcat /proc/version
commands to view the current kernel version. Make sure that the current version meets the requirement described in the vulnerability details. - Run the
cat /etc/grub.conf
command to query the configuration file. Make sure that the current system uses the latest kernel version. - Security Center assesses whether your server contains Linux software vulnerabilities
based on the kernel version. If your system contains the Redhat Package Manager (RPM)
package of the old kernel version, Security Center will detect it and generate an
alert. Make sure that your system does not contain the RPM package of the old kernel
version. If your system contains the RPM package of the old kernel version, delete
the package.
Note Before you delete the RPM package of the old kernel version, make sure that the current system uses the latest kernel version. We recommend that you create a snapshot for your system before you delete the RPM package of the old kernel version. The snapshot allows you to recover the system in case of unusual situations.
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- On the Linux Software tab, find the vulnerability that you want to ignore and click the vulnerability name. The details page of the vulnerability appears.
- In the Actions column, click the
icon and select Ignore.
What can I do If no update software package is released for a vulnerability?
Perform the following operations based on your requirements:
-
You may receive one of the following messages when you update software to fix a vulnerability:
orPackage xxx already installed and latest version Nothing to do
No Packages marked for Update
In this case, wait until an official update of the software package is available.
The following software packages do not have available updates:- Gnutls
- Libnl
- Mariadb
- After you update the software package to the latest version, the software package
may still fail to meet the version requirement described in the Security Center console.
In this case, check whether the operating system version of your server is supported. For example, starting September 1, 2017, CentOS 6.2 to 6.6 and CentOS 7.1 are no longer supported. We recommend that you ignore this vulnerability in the Security Center console or update the operating system of your server. Even if you ignore the vulnerability, the risk may still exist.
The parameters of Linux software vulnerabilities
- Vulnerability
The name of a Linux software vulnerability notice, which starts with CVE, RHSA, or USN. For example, RHSA-2016: 2972: vim security update.
- Impact
The vulnerability impact score, which is based on the open criteria Common Vulnerability Scoring System (CVSS). The score indicates the severity of a vulnerability, which allows you to prioritize the vulnerability.
- CVE ID
The CVE ID of a vulnerability. For example, CVE-2016-XXXX. The CVE system provides a reference method for public information-security vulnerabilities and exposures. You can find information about vulnerability fixes in a CVE-compatible database to solve security issues.
- PriorityThe priority of a vulnerability. Valid values: High, Medium, and Low.Note The vulnerability priority in the preceding figure is Medium. You can fix these vulnerabilities later.
- The following vulnerabilities have the High priority:
- Vulnerabilities that attackers can exploit to obtain permissions on the operating system of your server.
- Vulnerabilities that attackers can exploit to obtain sensitive data and cause data breaches.
- Vulnerabilities that can cause unauthorized access to sensitive data.
- Vulnerabilities that can cause large-scale impacts.
- The following vulnerabilities have the Medium priority:
- Vulnerabilities that attackers can exploit to indirectly obtain permissions on your server and application systems.
- Vulnerabilities that attackers can exploit to read, write, download, or delete files.
- Vulnerabilities that cause sensitive data leaks.
- Vulnerabilities that can cause workload disruption or remote denial-of-service attacks.
- The following vulnerabilities have the Low priority:
- Vulnerabilities that affect users during system and user interactions.
- Vulnerabilities that attackers can exploit to perform unauthorized operations.
- Vulnerabilities that attackers can exploit after they change on-premises configurations or obtain important information.
- Vulnerabilities that can cause on-premises denial-of-service attacks.
- Vulnerabilities that have minor impacts.
- The following vulnerabilities have the High priority:
- Impact description
The information about the current version of the software, the reason why the vulnerability is detected, and the path of the vulnerability program on your server.
On the details page of a vulnerability, click Details in the Actions column to view the impact description of the vulnerability.The impact description includes the following information:- Software: the current version of the software. In the preceding figure, the version of mariadb-libs is 5.5.52-1.el7.
- Cause: the reason why the vulnerability is detected. In most cases, the reason is that the software is outdated. In the preceding figure, the vulnerability is detected because the version of mariadb-libs is earlier than 1:5.5.56-2.el7.
- Path: the path of the vulnerability program on your server. In the preceding figure, the path of mariadb-libs is /etc/ld.so.conf.d/mariadb-x86_64.con.
- ActionsYou can perform the following operations on a detected Linux vulnerability:
- Fix: Fix the vulnerability.
- Verify: Check whether the vulnerability is fixed.
- Ignore: Ignore the vulnerability.
For more information, see Linux software vulnerabilities.
How do I fix vulnerabilities?
You can use Security Center to detect and automatically fix Linux software vulnerabilities, Windows vulnerabilities, and Web-CMS vulnerabilities. For application vulnerabilities and emergency vulnerabilities, you must manually fix them.
Log on to the Security Center console. In the left-side navigation pane, click Vulnerabilities. On the Vulnerabilities page, find the Linux software vulnerability, Windows vulnerability, or Web-CMS vulnerability that you want to fix and click Fix in the Actions column. You can create a snapshot before you fix a Linux software vulnerability or Windows system vulnerability. After you fix a vulnerability, the status of the vulnerability that requires a system restart changes to Handled (To Be Restarted). You must restart your system as instructed before you check whether the vulnerability is fixed.
For emergency vulnerabilities and application vulnerabilities, you can manually fix them based on the fix suggestions displayed on the vulnerability details page. After you fix a vulnerability, you can check whether the vulnerability is fixed on the Vulnerabilities page.
When I use Security Center to fix multiple vulnerabilities at a time, in what order are the vulnerabilities fixed?
Linux software vulnerabilities and Web-CMS vulnerabilities are fixed based on the order of vulnerability list in the Security Center console. For certain Windows system vulnerabilities, pre-patches are required before Security Center can fix them. Such vulnerabilities are fixed first when multiple Windows system vulnerabilities are fixed. Other vulnerabilities are fixed based on the order of vulnerability list in the Security Center console.
Why do I fail to create a snapshot when I fix a vulnerability? What can I do?
- You are fixing the vulnerability as a RAM user: If you are fixing the vulnerability as a RAM user that does not have the permissions to create a snapshot, the console prompts that you cannot create a snapshot. We recommend that you use an Alibaba Cloud account to create a snapshot. For more information about RAM users, see Overview of a RAM user.
- The server is not an Alibaba Cloud server: You can only fix vulnerabilities and create snapshots for Alibaba Cloud servers.
What can I do if Security Center still sends vulnerability alerts to me after I fix vulnerabilities?
This issue occurs because a system restart is required after you fix Linux kernel vulnerabilities. Go to the vulnerability details page and click Restart in the Actions column. After the system is restarted, you can click Verify in the Actions column. If the status of the vulnerability changes to Handled, the vulnerability is fixed.
What can I do if the "An error occurred while obtaining the permission. Check the permission and try again." message appears when I fix a vulnerability?
This issue occurs because your account does not have permissions to manage the file required to fix the vulnerability. We recommend that you find the vulnerability that you want to fix and click the vulnerability name. In the panel that appears, view the details of the vulnerability and check whether the owner of the file is the root user. If the owner is not the root user, you must change the owner to the root user. Then, you can go back to the Security Center console and fix the vulnerability.
When the Security Center agent is disabled or disconnected from Alibaba Cloud, why are the records of the detected vulnerabilities still displayed in the Security Center console?
The records of detected vulnerabilities are retained in the Security Center console even though the Security Center agent is disabled or disconnected from Alibaba Cloud.
After the Security Center agent is disabled or disconnected from Alibaba Cloud for more than three days, all the detected vulnerabilities become invalid. In this case, you cannot perform operations on vulnerabilities. For example, you cannot fix vulnerabilities or delete the records of vulnerabilities.
If you do not renew Security Center within seven days after it expires, your data is released and deleted. Then, the detected vulnerabilities are no longer displayed.
How do I delete a Windows patch from the directory of the Security Center agent?
- Log on to the Security Center console.
- In the left-side navigation pane, click Settings.
- Optional. Disable self-protection for the Security Center agent.
If you have not enabled self-protection, skip this step and go to the next step.
When self-protection is enabled, all process files in the directory of the Security Center agent are protected. In this case, Security Center rejects your requests to delete or download a process file from the directory of the Security Center agent. For more information about self-protection, see Client protection.
- Log on to your server as an administrator.
- Find the patch and manually delete it.
The path of the patch is: C:\Program Files (x86)\Alibaba\Aegis\globalcfg\hotfix.
Can Security Center detect Elasticsearch vulnerabilities?
Yes, Security Center can detect Elasticsearch vulnerabilities.
You can perform the following steps: Log on to the Security Center console. In the left-side navigation pane, choose and click the Application tab. Then, check whether Elasticsearch vulnerabilities exist. For more information about Elasticsearch vulnerabilities and solutions, see [Vulnerability notice] Multiple high-risk vulnerabilities in Elasticsearch.
How do I handle a connection timeout between my server and the YUM repository of Alibaba Cloud?
[Errno 12] Timeout on http://mirrors.aliyun.com/centos/6/os/x86_64/repodata/repomd.xml: (28, 'connect() timed out!')
Make sure that the DNS settings of your server are correct, and wait a while. If the issue persists, submit aticket to contact after-sales service.
How do I handle the "Invalid token" error message when I fix a vulnerability?
What can I do if Security Center fails to verify the fix of a system vulnerability?
- Check the version of the vulnerability.
- Check whether the system uses the YUM repository of Alibaba Cloud.
- Check whether you have verified the vulnerability fix after a system update.
Note You must restart the system after you update the kernel.
- Make sure that the software version to which you update is not earlier than the version recommended by Security Center.
If the issue persists, we recommend that you update the operating system.
Can Security Center automatically verify the fix of a vulnerability that requires a system restart?
No, Security Center cannot automatically verify the fix.
If a vulnerability is fixed but requires a system restart to verify the fix, the state of the vulnerability is Handled (To Be Restarted). Security Center scans for vulnerabilities on a daily basis. After you fix vulnerabilities of the preceding type, Security Center no longer detects such vulnerabilities. In this case, Security Center retains the information about these vulnerabilities for three days. Make sure that networks are functioning as expected and no other factors are affecting vulnerability detection. After three days, the information is deleted.
Why does the state of a vulnerability remain unchanged when I verify the vulnerability fix?
After you run the command generated by Security Center to fix a system software vulnerability, the system software is updated. The new software version meets the requirement on the Vulnerabilities page of the Security Center console. However, when you click Verify in the panel that displays the details of the vulnerability, the state of the vulnerability does not change to Fixed.
- Check the priority levels of vulnerabilities that Security Center detects
Perform the following steps:
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- On the Vulnerabilities page, click Settings in the upper-right corner.
- On the Settings page, view Vul scan level.
If you do not select a specific priority, Security Center does not automatically update the information about vulnerabilities of the priority. You can select priorities based on your requirements.
- Check whether the version of the Security Center agent is outdated
If the version of the Security Center agent on your server is outdated, Security Center may not be able to detect vulnerabilities. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.
- Check whether the Security Center agent is disconnected from Alibaba Cloud
If the Security Center agent on your server is disconnected from Alibaba Cloud, you cannot verify vulnerability fixes. We recommend that you troubleshoot the issue and ensure that the Security Center agent is connected to Alibaba Cloud. For more information, see Identify why the agent is offline.
Why does Security Center fail to roll back a vulnerability fix?
- Make sure that the Security Center agent on your server is connected to Alibaba Cloud. If the Security Center agent is not connected to Alibaba Cloud, troubleshoot the issue. For more information, see Identify why the agent is offline.
- Check whether the files related to this vulnerability have already been manually modified
or deleted.
Note To avoid accidental modifications on your files, if the related files are manually modified or deleted after the vulnerability is fixed, Security Center cannot undo the fix.
What can I do if I cannot enable the vulnerability detection feature for a server on the Assets page?

Are my workloads affected when Security Center is scanning for emergency vulnerabilities?
Security Center checks whether your assets contain emergency vulnerabilities based on the preliminary detection principle. Security Center sends one or two TCP request packets to the IP addresses of all your Elastic Compute Service (ECS) or Server Load Balancer (SLB) instances. The packets do not contain any malicious behaviors. The emergency vulnerability detection feature has been tested on millions of IP addresses. Therefore, this feature is highly stable and reliable. However, staging environments cannot cover all scenarios. Therefore, unknown risks may still occur. For example, if the business logic of some websites is vulnerable, one or two TCP requests may cause the server to crash. In this case, your business system may be at risk.
Why are the results different when Security Center scans multiple times for fastjson emergency vulnerabilities?
The detection of fastjson vulnerabilities depends on whether JAR packages are loaded. A web server loads JAR packages in a dynamic mode or a static mode. In dynamic mode, fastjson vulnerabilities can be detected only when JAR packets are running. Therefore, the scan results are different. We recommend that you scan for fastjson vulnerabilities multiple times to improve the accuracy of scan results.
Scan cycles
Security Center can detect and fix vulnerabilities such as Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, emergency vulnerabilities, and application vulnerabilities. The following table lists the default scan cycle for each vulnerability type.
Can Security Center detect system and application vulnerabilities?
Yes, Security Center can detect system and application vulnerabilities.
What can I do if Security Center fails to verify a fixed baseline risk?
- Check whether the version of the Security Center agent is outdated
If the version of the Security Center agent on your server is outdated, Security Center may fail to verify a fixed baseline risk. If the Security Center agent is not automatically updated, we recommend that you manually install the latest version. For more information, see Install the Security Center agent.
- Check whether the Security Center agent is connected to Alibaba Cloud
If the Security Center agent on your server is not connected to Alibaba Cloud, Security Center cannot verify a fixed baseline risk. Make sure that the Security Center agent on your server is connected to Alibaba Cloud. For more information, see Identify why the agent is offline.
What are the differences between baselines and vulnerabilities?
Baselines describe the minimum security requirements for system configurations and management. For example, the following items are considered baselines: service and application configurations, configurations for operating system components, permission settings, and system management rules. The baseline check feature of Security Center provides security checks for your operating systems, databases, software, and containers. This feature supports the following baseline types: weak passwords, account permissions, identity authentication, password policies, access control, security audit, and intrusion prevention. In this case, you can improve system security based on the check results and suggestions provided by Security Center. For more information about check items, see Check items.
Vulnerabilities refer to flaws in operating system implementation or security policies. Attackers can exploit vulnerabilities to access the data on your servers or undermine the security of your servers. We recommend that you fix detected vulnerabilities in a timely manner to protect your assets.
The baseline check feature is a value-added service of Security Center. Only users of the Advanced or Enterprise edition can activate and enable this feature. You must upgrade the Basic or Basic Anti-Virus edition to the Advanced or Enterprise edition before you can use the baseline check feature. For more information about upgrades, see Upgrade and downgrade Security Center.