Linux software vulnerabilities - Precautions| Alibaba Cloud Documentation Center

Security Center can detect and fix Linux software vulnerabilities. This topic describes how to view and manage Linux software vulnerabilities.

Background information

The Basic edition of Security Center only scans for vulnerabilities, but does not fix them. To use Security Center to fix vulnerabilities, you must activate the Advanced or Enterprise edition. For more information about features supported by each edition, see Features.

View vulnerability information

Log on to the Security Center console.
In the left-side navigation pane, choose Precaution > Vulnerabilities.
On the Linux Software tab, you can view the vulnerabilities detected in Linux software. The name of a vulnerability starts with USN, RHSA, or CVE.
- View vulnerability updates
- View vulnerability priorities
  The number of vulnerabilities that have different priorities are displayed in different colors.
  - Red: High priority.
  - Orange: Medium priority.
  - Gray: Low priority.
  Note We recommend that you fix High priority vulnerabilities immediately.
- Add vulnerabilities to the whitelist
  On the Linux Software tab, select one or more target vulnerabilities and click Add to Whitelist to add them to the whitelist. After the target vulnerabilities are added to the whitelist, Security Center no longer generates alerts when they are detected.
  
  Vulnerabilities that are added to the whitelist are removed from the vulnerability list on the Linux Software tab. Click Settings in the upper-right corner to view these vulnerabilities in the Vul Whitelist list.
  
  If you want Security Center to detect and generate alerts on a vulnerability that is already added to the whitelist, select the vulnerability on the Settings page and click Remove to remove the vulnerability from the whitelist.
- Filter vulnerabilities
  On the Linux Software tab, filter vulnerabilities by priority (high, medium, and low), vulnerability status (handled, unhandled), asset group, or vulnerability name.
  
  Note Fuzzy match for vulnerability names is supported.
- Export vulnerabilities
  On the Linux Software tab, click to export records of all Linux software vulnerabilities to your local computer. The vulnerability records are exported to an Excel file.
  
  Note It may take some time to export the vulnerability records, depending on the file size.

View vulnerability details and manage vulnerabilities

Log on to the Security Center console.
In the left-side navigation pane, choose Precaution > Vulnerabilities.
On the Linux Software tab, find the target vulnerability. Click the name of the Vulnerability or Fix in the Actions column to open the Detail tab.
View the Detail of the vulnerability, the number of Pending vulnerabilities, and the assets that are exposed to the pending vulnerabilities.
On the Detail tab, view and manage vulnerabilities.
Perform the following operations as needed:
- View vulnerability details
  The Detail tab displays information about related vulnerabilities and assets that are exposed to these vulnerabilities. You can analyze and manage multiple vulnerabilities simultaneously.
  - The Detail tab displays the related vulnerabilities, vulnerability descriptions, and priority of each vulnerability.
  - The Pending vulnerability tab displays the assets that are exposed to the vulnerabilities.
    You can view all the assets exposed to the vulnerabilities and the vulnerability status. You can also verify, fix, and ignore vulnerabilities. In addition, you can undo fixes, and add vulnerabilities to the whitelist.
  On the Pending vulnerability tab, click an asset name in the Affected Assets column to go to the Assets > Vulnerabilities page. This page displays all vulnerabilities related to this asset.
- View vulnerability details in the Alibaba Cloud vulnerability library
  On the Detail tab, find the target vulnerability and click the CVE ID to go to the Alibaba Cloud vulnerability library.
  
  This library displays detailed information about the vulnerability, including the vulnerability description, basic information, and solutions to fix the vulnerability.
- View vulnerability priorities
  Vulnerability priorities are displayed in different colors:
  - Red: High priority.
  - Orange: Medium priority.
  - Gray: Low priority.
  Note We recommend that you fix High priority vulnerabilities immediately.
- View processes related to vulnerability fixing
  On the Pending Vulnerability tab, click the icon in the Related process column to view processes related to the vulnerability. This helps you learn about the processes and service systems that may be affected by fixing the vulnerability.
- View vulnerability status
  - Handled
    - Fixed: The vulnerability has been fixed.
    - Ignored: The vulnerability is Ignored. Security Center no longer generates alerts upon this vulnerability.
    Note For Handled vulnerabilities, you can Undo Fix. After you undo the fix, the vulnerability status changes to Unhandled.
  - Unhandled
    - Unfixed: The vulnerability has not been fixed.
    - Fixing: The vulnerability is being fixed.
    - Fix Failed: Security Center failed to fix the vulnerability. The file of the vulnerability has been modified or does not exist.
    - Handled (To Be Restarted): The vulnerability has been fixed, and a system restart is required for the fix to take effect.
    - Verifying: The vulnerability has been fixed. If the system needs to be restarted, verify the fix after the restart.
- Manage vulnerabilities on affected assets
  On the Pending vulnerability tab, you can fix, verify, and ignore vulnerabilities. You can also undo fixes or add vulnerabilities to the whitelist.
  - Fix vulnerabilities
    Click Fix in the Actions column to fix one or more related vulnerabilities simultaneously. Security Center can fix vulnerabilities and automatically create snapshots at the same time. Select Create snapshots automatically and fix or Skip snapshot backup and fix directly as needed.
    Note
    
    The system may fail to fix a vulnerability. We recommend that you select Create snapshots automatically and fix to create a snapshot of the system. For more information about snapshots, see Snapshot overview.
    
    Creating snapshots incurs fees based on the usage. For a 40 GB system disk, the snapshot storage fee is approximately USD 0.15 per day. For more information about the pricing of snapshots, see Snapshot billing.
  - Restart the system
    You must restart the system after you fix Linux kernel vulnerabilities. Choose one of the following methods to restart the system:
    
    We recommend that you click Restart on the Detail tab of the console.
    
    Alternatively, run the corresponding command in the Linux system to restart the system.
  - Verify vulnerabilities
    Click Verify to verify one or more related vulnerabilities simultaneously.
    
    After you click Verify, the Status of the vulnerability changes to Verifying. It takes several seconds to verify vulnerabilities.
  - Add vulnerabilities to the whitelist
    In the upper-right corner of the Detail tab, click Add to Whitelist to add the vulnerability to the whitelist. After a vulnerability is added to the whitelist, Security Center no longer generates alerts on this vulnerability.
    
    Vulnerabilities that are added to the whitelist are removed from the vulnerability list on the Linux Software tab. Click Settings in the upper-right corner to view these vulnerabilities in the Vul Whitelist list.
    
    If you want Security Center to detect and generate alerts on a vulnerability that is already added to the whitelist, select the vulnerability on the Settings page and click Remove to remove the vulnerability from the whitelist.
  - Ignore vulnerabilities
    Select the vulnerabilities to be ignored, click , and then select Ignore. Security Center no longer generates alerts upon this vulnerability.
    
    Note After you Ignore a vulnerability, the status of the vulnerability changes to Ignored. If you want Security Center to generate alerts on an ignored vulnerability, select the vulnerability in the Handled vulnerability list and click Cancel ignore.
  - Undo a fix
    Select the vulnerability of which you want to undo the fix, click , click Undo Fix, select the target snapshot, and then click OK.
- Filter affected assets
  On the Pending vulnerability tab, you can filter affected assets by vulnerability priority (high, medium, and low), asset group, vulnerability status (handled and unhandled), server IP address, or server name.
  
  Note Fuzzy match for server IP addresses and names is supported.
- Export affected assets
  In the upper-left corner of the Pending vulnerability tab, click to export affected asset records to a local computer. The asset records are exported to an Excel file.
  
  Note It may take some time to export the asset records, depending on the file size.
- Save filtered vulnerabilities
  In the upper-left corner of the Pending vulnerability tab, click to save the filtered vulnerabilities as a group. This allows you to keep monitoring the vulnerability status of this group.

Descriptions of the details page of a Linux software vulnerability


Item	Description
CVE ID	The Common Vulnerabilities and Exposures (CVE) ID of the vulnerability. The CVE system provides a reference-method for publicly known information-security vulnerabilities and exposures. You can use CVE IDs, such as CVE-2018-1123, to filter relevant information about vulnerability fixes in any CVE-compatible databases to resolve security issues.
Impact (CVSS score)	The CVSS score follows the widely accepted industry standard, Common Vulnerability Scoring System. The CVSS score is calculated based on multiple attributes of the vulnerability. This score is used to quantify the severity of vulnerabilities. In the CVSS v3.0, the severity level indicated by each score is as follows: 0.0: None. 0.1-3.9: Low Vulnerabilities that can cause local denial of service. Vulnerabilities that have minor impacts. 4.0-6.9: Medium Vulnerabilities that can affect users during system and user interactions. Vulnerabilities that can be exploited to perform unauthorized activities. Vulnerabilities that can be exploited after attackers change local configurations or obtain important information. 7.0-8.9: High Vulnerabilities that can be exploited to indirectly obtain permissions to your server and application systems. Vulnerabilities that can be exploited to read, download, write, or delete any files. Vulnerabilities that can cause sensitive data leaks. Vulnerabilities that can cause service disruption or remote denial of service. 9.0-10.0: Critical Vulnerabilities that can be exploited to directly obtain permissions to the operating system of your server. Vulnerabilities that can be exploited to directly obtain sensitive data and cause data leaks. Vulnerabilities that can cause unauthorized access to sensitive information. Vulnerabilities that can cause large-scale impacts.
Affected Assets	The server assets that are exposed to this vulnerability, including the public and internal IP addresses of the servers.
Priority	The priority of the vulnerability, including High: We recommend that you fix high priority vulnerabilities immediately. Medium: You can fix medium priority vulnerabilities based on your workload needs. Low: You can fix low priority vulnerabilities based on your workload needs.
Details	On the Detail tab, find the target vulnerability and click Details in the Actions column to view details of this vulnerability. Fix Command: The command that can be run to fix this vulnerability. Impact description: Software: The version of the software on the current server. Cause: the reason why the software is exposed to this vulnerability. Typically, the reason is that the current version of the software is outdated. Path: The path of the software on the server. Caution: Important notes, prevention tips, and links to reference documents about this vulnerability.