Does the vulnerability scan feature scan for system vulnerabilities and application vulnerabilities?

Yes. This feature scans for server system vulnerabilities and Web CMS vulnerabilities.

How is real-time vulnerability scan implemented?

Vulnerability scan collects the new URLs in your assets every day, and scans these URLs in the early morning. This feature also checks whether the vulnerabilities that were detected earlier have been fixed. The URLs are collected in real time.

How do I handle a timeout of connection between my server and the Yum repository of Alibaba Cloud?

If the connection times out, the following error message is displayed:
[Errno 12] Timeout on http://mirrors.aliyun.com/centos/6/os/x86_64/repodata/repomd.xml: (28, 'connect() timed out!')

Make sure that the DNS settings of your server are normal, and wait a while. If the problem still persists, submit a ticket for help.

How do I handle the error "Invalid token" when fixing a vulnerability?

Refresh the page, and log on to the Alibaba Cloud Security console again.
Note You can press Ctrl+F5 to refresh the page.

How do I handle a failed verification of system vulnerability fix in Security Center?

Perform the following operations:
  1. Check the software version affected by the vulnerability.
  2. Check whether the Yum repository of Alibaba Cloud is used.
  3. Check whether you have verified the vulnerability fix after a system update.
    Note You must restart the server to make a kernel update take effect.
  4. Make sure that the target software version is not earlier than the version recommended by Security Center.

If the problem still persists, we recommend that you update the operating system.

How do I query the vulnerability information of the current software version?

Security Center determines whether your server has software vulnerabilities by comparing your system software versions and the software versions with CVE vulnerabilities. To view the vulnerability information in the current software version, you can go to the Security Center console or run commands on your server.
  • View information in Security Center

    Log on to the Security Center console, and choose Vulnerabilities in the left pane. On the Vulnerabilities page, the system software vulnerabilities on your server are displayed. For more information about parameter descriptions of Linux software vulnerabilities, see Linux software vulnerability parameter descriptions.

  • View software version information on your server
    You can also view the information of the current software version on your server.
    • CentOS

      Run the rpm -qa | grep xxx command. Replace xxx with the software package name. For example, you can run the rpm -qa | grep bind-libs command to view the bind-libs version information on your server.

    • Ubuntu and Debian
      Run the dpkg-query -W -f '${Package} -- ${Source}\n' | grep xxx command. Replace xxx with the software package name. For example, you can run the dpkg-query -W | grep bind-libs command to view the bind-libs version information on your server.
      Note If the software package does not exist, run the dpkg-query –W command to view all the software on your server.
    After you obtain your software version information, you can check whether your software version is mentioned in the descriptions of system software vulnerabilities detected by Security Center. In a vulnerability description, "software" indicates the current software version, and "cause" indicates the reason why Security Center determines your server has a vulnerability.
    Note After you update a piece of software, Security Center may collect the remaining files of the old software version and regard these files as a vulnerability. We recommend that you ignore the vulnerability alerts triggered in such situations. You can also run the yum remove or apt-get remove command to delete the old software package. Before you delete the package, make sure that the old version software is no longer required by any service or application on your server.

How do I update kernel 3.1* to kernel 4.4 in Ubuntu 14.04?

Kernel updates can be risky. We recommend that you read Best practices for fixing system software vulnerabilities before updating the kernel.

  1. Run the uname -av command to check whether the kernel version is 3.1*.
  2. Run the following commands to check whether the latest kernel update package is available.
    • apt list | grep linux-image-4.4.0-94-generic
    • apt list | grep linux-image-extra-4.4.0-94-generic

    If no update package is available, you can run the apt-get update command to obtain the latest update package.

  3. Run the following commands to update the kernel:
    • apt-get update && apt-get install linux-image-4.4.0-94-generic
    • apt-get update && apt-get install linux-image-extra-4.4.0-94-generic
  4. After the update package is installed, restart the server to load the kernel.
  5. Run the following commands to verify the update:
    • Run the uname -av command to view the current kernel information.
    • Run the dpkg -l | grep linux-image command to view the kernel information.

Why does Security Center still alert me on vulnerabilities after the kernel update?

After a kernel update, files of old version software often remain in your system. If a vulnerability alert is triggered by such remaining files, you can ignore this alert or delete these files.
  1. After the kernel is updated, run the uname –av and cat /proc/version commands to view the current kernel version. Make sure that the latest version is used.
  2. DO NOT TRANSLATE
  3. Security Center determines whether your server has system software vulnerabilities based on the software version. If the RPM installation package of the old version remains in your system, Security Center will detect this package and generate vulnerability alerts. Make sure that your system does not contain the RPM installation package of the old version. If such a package remains, delete it.
  4. Before deleting the RPM installation package of the old version, make sure that the new kernel is already in use. We recommend that you create a snapshot for your system before uninstalling the installation package of the old kernel version. A snapshot helps you recover the system if needed.
Note If you do not want to uninstall the old version kernel, make sure that the new kernel is in use, and ignore the related vulnerability alert. Specifically, log on to the Security Center console, and choose Vulnerabilities > Server Vulnerabilities. Click Ignore for this vulnerability.

Why no software update is available to fix vulnerabilities detected by Security Center?

  • You may receive the following messages when attempting to fix a vulnerability:
    Package xxx already installed and latest version
    Nothing to do
    or
    No Packages marked for Update

    In this case, wait until an official update of the software is available.

    The following software packages do not have available updates:
    • Gnutls
    • Libnl
    • Mariadb
  • After you update a software package to the latest version, the software version may still fail to meet the version requirement as described in Security Center.

    In this case, check whether your OS version is supported by Security Center. For example, as of September 1, 2017, OS versions such as CentOS 6.2 to 6.6 and CentOS 7.1 are no longer supported. We recommend that you ignore this vulnerability in the Security Center console or update the server OS. If you ignore this vulnerability, it remains risky for your system.

How do I manually detect Linux software vulnerabilities?

For more information about manually detecting the system software vulnerabilities on your server, see Manually detect Linux software vulnerabilities.

We recommend that you use the system software vulnerability detection feature of Security Center. This feature can automatically detect system software vulnerabilities on a regular basis.

Why does the vulnerability status remain unchanged when I verify a vulnerability fix?

After you run the command generated by Security Center for fixing a system software vulnerability, the system software is updated. The new software version is not one of the versions with vulnerabilities as listed in the vulnerability description. However, when you click Verify for the vulnerability in the Security Center console, the vulnerability status is not changed to Fixed.

You can perform the following operations to locate the cause:
  • Check the vulnerability severities that you have subscribed to.

    Log on to the Security Center console. Choose Settings > Notification, and check the Severity column for Vulnerabilities.

    The data of vulnerabilities with deselected severities is not automatically updated.

  • Check whether the agent version is earlier than required.

    If the version of the Security Center agent on your server is earlier than required, vulnerability scan may not be supported. If the agent is not automatically updated, we recommend that you manually install the latest agent. For more information, see Install the agent.

  • Check whether the agent is offline.

    If the Security Center agent on your server is offline, you cannot use the vulnerability management feature to verify vulnerability fixes. Make sure that the agent on your server is online. For more information, see Bring the agent online.

Why no command is generated after I click Generate Fix Command?

If no command is generated after you click Generate Fix Command for a Linux software vulnerability, you can use the following methods to locate the cause:
  • Check the vulnerability severities that you have subscribed to.

    Log on to the Security Center console. Choose Settings > Notification, and check the Severity column for Vulnerabilities.

    The data of vulnerabilities with deselected severities is not automatically updated.

  • Check whether the agent version is earlier than required.

    If the version of the Security Center agent on your server is earlier than required, vulnerability scan may not be supported. If the agent is not automatically updated, we recommend that you manually install the latest agent. For more information, see Install the agent.

  • Check whether the agent is offline.

    If the Security Center agent on your server is offline, you cannot use the vulnerability management feature to verify vulnerability fixes. Make sure that the agent on your server is online. For more information, see Bring the agent online.

Why did I fail to undo the fix of a vulnerability?

If an error occurred while undoing the fix of a vulnerability, you can use the following methods to locate the cause:
  1. Make sure that the Security Center agent on your server is online. If the agent is offline, locate the cause. For more information, see Bring the agent online.
  2. Check whether the files related to this vulnerability have been manually modified or deleted from your server.
    Note If the related files have been manually modified or deleted after the vulnerability is fixed, Security Center does not roll back these files so that the files are not modified by mistake.

Vulnerability scan cycle

Security Center detects and fixes vulnerabilities including Linux software vulnerabilities, Windows vulnerabilities, Web CMS vulnerabilities, and urgent vulnerabilities.

Security Center automatically scans for Linux software vulnerabilities, Windows vulnerabilities, and Web CMS vulnerabilities once every other day. Manual operations are required to detect urgent vulnerabilities.

Security Center also automatically detects other vulnerabilities, such as those in software configuration and system components.

You can view and handle the detected vulnerabilities on the Vulnerabilities page in the Security Center console.

For more information, see Vulnerability management settings and whitelist configuration.