This topic describes the possible causes and solutions to vulnerability fix failures that occurred in the Security Center console.

Overview

Vulnerability fixes may fail due to various causes, such as an outdated system, incompatibility between the patch and the server, or a poor network connection. This topic covers the common causes of vulnerability fix failures. If the cause of a vulnerability fix failure is not mentioned in this topic, we recommend that you search the Internet for more information about the specific vulnerability to troubleshoot the failure.

Scenarios

You can reference this topic to troubleshoot fix failures for the following vulnerabilities:
  • Linux software vulnerabilities
  • Windows vulnerabilities
  • Web-CMS vulnerabilities

Possible causes that lead to fix failures of Windows and Linux software vulnerabilities

If the system prompts that a fix failed when you fix a Windows or Linux software vulnerability in the Security Center console, see the following table to troubleshoot the failure.

Notice We recommend that you identify the cause of a fix failure by following instructions in the table from top to bottom.
Possible cause Description Solution
The network connection is abnormal. If a network connection error occurs on your server, the vulnerability fix may fail. Troubleshoot the network connection error.
The Security Center agent of the server on which the vulnerability is detected is disconnected from Alibaba Cloud. If the Security Center agent is disconnected from Alibaba Cloud, the vulnerability fix may fail. Network connection errors on the server, high CPU utilization, or high memory usage may cause the Security Center agent to disconnect from Alibaba Cloud. Troubleshoot the Security Center agent disconnection. For more information, see Troubleshoot why the Security Center agent is offline.
The disk or memory space of the server on which the vulnerability is detected is insufficient. If the disk does not have sufficient space, Security Center cannot download the patch package that is required to fix the vulnerability. To troubleshoot this failure, perform the following steps:
  1. Increase the storage space of the server or delete unnecessary files from the server.
  2. Check whether the server can provide sufficient space. If yes, fix the vulnerability again in the Security Center console. For more information, see Linux software vulnerabilities and Windows vulnerabilities.
No permissions are granted to read or write the disk file system of the server on which the vulnerability is detected. If you do not have the read and write permissions on the disk file system, Security Center cannot download the patch package that is required to fix the vulnerability. To troubleshoot this failure, perform the following steps:
  1. Obtain the read and write permissions on the disk file system.
  2. After you obtain the permissions, fix the vulnerability again in the Security Center console. For more information, see Linux software vulnerabilities and Windows vulnerabilities.
Linux vulnerability: Configuration errors occur in the system update source for the server on which the vulnerability is detected. If configuration errors occur in the system update source or the YUM repositories are not up-to-date, Security Center cannot install the update as expected. To troubleshoot this failure, perform the following steps:
  1. Reconfigure the system update source. The following methods are available:
    • Log on to the Security Center console and open the Vulnerabilities page. In the upper-right corner of the page, click Settings. In the panel that appears, select Priority to use Alibaba Cloud source for YUM/APT Source Configuration.

      After you select the option, Security Center automatically uses the YUM or APT source of Alibaba Cloud to download the update and fix the vulnerability. This increases the success rate of vulnerability fixes.

    • Make sure that the YUM repositories are up-to-date.
  2. Fix the vulnerability again in the Security Center console. For more information, see Linux software vulnerabilities.
Linux vulnerability: The RPM database is corrupted. If the RPM database is corrupted, Security Center cannot install the software package that is required to fix the vulnerability. To troubleshoot this failure, perform the following steps:
  1. Run the rm -f /var/lib/rpm/_db.* command to delete the RPM lock file.
  2. Run the rpm -rebuilddb command to rebuild the RPM database.
Notice This command may take a long time to run.
Windows vulnerability: The prepatch for the vulnerability is missing. If the prepatch for the vulnerability is missing, the vulnerability fix may fail. To troubleshoot this failure, perform the following steps:
  1. Install the prepatch.
  2. After the prepatch is installed, fix the vulnerability again in the Security Center console. For more information, see Windows vulnerabilities.
Windows vulnerability: The Windows Update or Windows Modules Installer service is disabled on the server on which the vulnerability is detected. If the Windows Update or Windows Modules Installer service is disabled, Security Center cannot download the patch package that is required to update the server system. To troubleshoot this failure, perform the following steps:
  1. Enable the Windows Update and Windows Modules Installer services.
  2. Fix the vulnerability again in the Security Center console. For more information, see Windows vulnerabilities.
Windows vulnerability: Errors occurred during the downloading and installation of the patch package that is required to fix the vulnerability. If the patch package is not found or is incompatible with the server operating system, the vulnerability fix may fail. To troubleshoot this failure, perform the following steps:
  • The patch package is not found.

    Download the patch package again. Then, fix the vulnerability.

  • The patch package is incompatible with the server operating system.

    Log on to the Security Center console and ignore the vulnerability on the Vulnerabilities page.

  • Another patch is being installed.

    You cannot install two patches at the same time. We recommend that you fix the vulnerability after the current patch is installed.

Windows vulnerability: Other errors occur on the server. None. To troubleshoot this failure, perform the following steps:

Possible causes that lead to fix failures of Web-CMS vulnerabilities

If the system prompts that a fix failed when you fix a Web-CMS vulnerability in the Security Center console, see the following table to troubleshoot the failure.
Notice We recommend that you identify the cause of a fix failure by following instructions in the table from top to bottom.
Possible cause Description Solution
The network connection is abnormal. If a network connection error occurs on your server, the vulnerability fix may fail. Troubleshoot the network connection error.
The Security Center agent of the server on which the vulnerability is detected is disconnected from Alibaba Cloud. If the Security Center agent is disconnected from Alibaba Cloud, the vulnerability fix may fail. Network connection errors on the server, high CPU utilization, or high memory usage may cause the Security Center agent to disconnect from Alibaba Cloud. Troubleshoot the Security Center agent disconnection. For more information, see Troubleshoot why the Security Center agent is offline.
The disk or memory space of the server on which the vulnerability is detected is insufficient. If the disk does not have sufficient space, Security Center cannot download the patch package that is required to fix the vulnerability. To troubleshoot this failure, perform the following steps:
  1. Increase the storage space of the server or delete unnecessary files from the server.
  2. Check whether the server can provide sufficient space. If yes, fix the vulnerability again in the Security Center console. For more information, see Web-CMS vulnerabilities.
Third-party security software is installed on the server on which the vulnerability is detected. If security software, such as SafeDog, is installed on the server and you have optimized directory permissions or modified relevant settings by using the software, the system account may not have permissions to write the files in the www directory and its subdirectories. As a result, the vulnerability fix may fail. Check whether the system account has the read and write permissions on the www directory and its subdirectories. If no, manually grant the permissions to the system account.
The vulnerability file does not exist. If the vulnerability file is deleted, Security Center prompts that the fix failed. To troubleshoot this failure, perform the following steps:
  1. Check whether the vulnerability file is deleted from the specific server directory, which can be obtained from the vulnerability details in the Security Center console.
  2. If the vulnerability file is deleted, ignore the vulnerability. For more information, see Ignore a vulnerability.

References

We recommend that you fix vulnerabilities at the earliest opportunity. Before you fix vulnerabilities, make sure that you understand the preparations and risk prevention measures. For more information, see Fix software vulnerabilities.

For more information about vulnerability fixes, see FAQ overview.