Troubleshoot vulnerability fix failures

Overview

Vulnerability fixes may fail due to various causes, such as an outdated system, incompatibility between the patch and the server, or a poor network connection. This topic covers common possible causes of vulnerability fix failures. If the cause of a vulnerability fix failure is not mentioned in this topic, we recommend that you search the Internet for more information about the specific vulnerability to troubleshoot the failure.

Scenarios

Possible causes that lead to fix failures of Windows and Linux software vulnerabilities

If the system prompts that the fix failed when you fix a Windows or Linux software vulnerability in the Security Center console, perform the following steps to identify the cause of the failure:

1. Check whether the Security Center agent is connected to Alibaba Cloud. If the Security Center agent is not connected to Alibaba Cloud, vulnerability fixes may fail. Network connection errors on your server, high CPU utilization, or high memory usage may cause the Security Center agent to disconnect from Alibaba Cloud. If the Security Center agent is not connected to Alibaba Cloud, we recommend that you troubleshoot the issues in a timely manner. For more information, see Troubleshoot why the Security Center agent is offline.
2. Check the available space of the disk on your server. If the disk does not have sufficient space, Security Center cannot download the patch packages that are required to fix the vulnerability.

   In this case, increase the disk space or delete unnecessary files on your server. Then, fix the vulnerability again.

3. Check whether you have read/write permissions on disk files. If you do not have read/write permissions on disk files, vulnerability fixes may fail because the patch package cannot be downloaded.

   In this case, obtain the required permissions on disk files. Then, fix the vulnerability again.

4. Check other possible causes based on the operating system that your server runs:
   • Linux

     Check whether the system update source is correctly configured. In the upper-right corner of the Vulnerabilities page, click Settings. In the pane that appears, select YUM/APT Source Configuration. If you select YUM/APT Source Configuration, Security Center automatically uses the YUM or APT source of Alibaba Cloud to fix the vulnerability. This helps you improve the efficiency of vulnerability fixing.

     For more information about Linux software vulnerabilities, see FAQ.

   • Windows
     1. No available patch package

        The correct patch package is not downloaded. You can download the required patch package and then fix the vulnerability.

     2. Incompatible patch package

        Check whether the patch package is compatible with the operating system that your server runs. If the patch package is incompatible, you can log on to the Security Center console and ignore the vulnerability on the Vulnerabilities page.

     3. Another patch being installed

        You cannot install two patches at a time. We recommend that you fix the vulnerability after the current patch is installed.

     4. Other settings
        1. Check whether the Cryptographic Services of the Windows Update service is running as expected.
        2. Check whether you have the permissions to read and execute the files in the C:\Windows directory.
        3. Check whether the Windows Update service is running as expected.
        4. Reset Windows Update components. For more information, see Windows Update - additional resources.

Possible causes that lead to fix failures of Web-CMS vulnerabilities

If the system prompts that the fix failed when Security Center fixes Web-CMS vulnerability, perform the following steps to identify the cause of the failure:

1. Check whether the Security Center agent is connected to Alibaba Cloud. If the Security Center agent is not connected to Alibaba Cloud, vulnerability fixes may fail. Network connection errors on your server, high CPU utilization, or high memory usage may cause the Security Center agent to disconnect from Alibaba Cloud. If the Security Center agent is not connected to Alibaba Cloud, we recommend that you troubleshoot the issues in a timely manner. For more information, see Troubleshoot why the Security Center agent is offline.
2. Check whether security software, such as SafeDog, is installed on your server and whether you have optimized directory permissions or modified relevant settings. If you have performed directory optimization, the system account may not have permissions to write the files in the www directory and its subdirectories.

   Make sure that the system account of your server has read/write permissions on the files in the www directory and its subdirectories. If the system account does not have read/write permissions, grant the permissions to the system account.

3. Check whether the file related to the vulnerability is manually modified, or whether you have manually installed the official patch for the vulnerability. If the file is manually modified, the MD5 hash value of the file may have changed. In this case, Security Center does not modify the file to prevent modifying your file by mistake. Therefore, Security Center fails to fix the vulnerability.

   If you have manually fixed the vulnerability, you can verify the fix in the Security Center console. If the status of the vulnerability changes to Fixed 24 hours after you verify the fix, the fix is successful.

4. If you receive a message indicating that the vulnerability file does not exist, go to the file path that is provided in the vulnerability description and check whether the file is deleted.

   If the vulnerability file is deleted, ignore the alert.

5. Check the disk space on your server. If the disk does not have sufficient space, Security Center cannot download the patch packages that are required to fix the vulnerability.

   In this case, increase the disk space or delete unnecessary files on your server. Then, fix the vulnerability again.