Linux software vulnerabilities

View vulnerability information

1. Log on to the Security Center console.
2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
3. In the Vulnerability column of the Linux Software tab, view the vulnerabilities detected by Security Center. In most cases, the name of a vulnerability starts with USN, RHSA, or CVE.
   • View vulnerabilities
   • View the priorities of vulnerabilities and the number of affected assets
     The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability.

     • Red: High
     • Orange: Medium
     • Gray: Low
     
     Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
   • Add vulnerabilities to the whitelist

     On the Linux Software tab, select one or more vulnerabilities you want to add to the whitelist and click Add to Whitelist. After you add vulnerabilities to the whitelist, Security Center no longer generates alerts when these vulnerabilities are detected.

     

     Vulnerabilities in the whitelist are removed from the Vulnerability column of the Linux Software tab and are displayed in the Vul Whitelist column on the Settings pane.

     If you want Security Center to detect and generate alerts on a vulnerability that is added to the whitelist, select the vulnerability in the Vul Whitelist column on the Settings pane and click Remove.

     
   • Fix multiple vulnerabilities at a time
     When you fix multiple vulnerabilities at a time, the affected assets are automatically identified and the vulnerabilities on these assets are fixed. On the Linux Software tab, select multiple vulnerabilities you want to fix and click Batch Repair. In the Batch Repair dialog box, view the affected assets, select Create snapshots automatically and fix or Skip snapshot backup and fix directly, and then click Fix Now.

     Note

     • You can select only the vulnerabilities on the current page. Each page displays 10, 20, or 50 vulnerabilities. Therefore, you can fix a maximum of 50 vulnerabilities at a time.
     • For outdated or commercial operating systems, you must manually upgrade the operating system to fix vulnerabilities. Security Center cannot fix multiple vulnerabilities detected on these operating systems at a time. If you use the Batch Repair function to fix these vulnerabilities, Security Center ignores them. If you use one of the following operating systems, you must upgrade your operating system to fix multiple vulnerabilities at a time:
       • Red Hat 5, Red Hat 6, Red Hat 7, and Red Hat 8
       • CentOS 5
       • Ubuntu 12
     • The system may fail to fix a vulnerability. We recommend that you select Create snapshots automatically and fix to create a snapshot of the system before you click Fix Now. For more information about snapshots, see Snapshot overview.
     • You are billed based on the billing methods of the snapshot service.For example, if the size of the system disk is 40 GB, the fees for snapshot storage are USD 0.15 per day. For more information, see Snapshot billing.
   • Filter vulnerabilities

     On the Linux Software tab, filter vulnerabilities by priority (high, medium, or low), asset group, vulnerability status (handled or unhandled), vulnerability name, or VPC name.

     
     Note Fuzzy match is supported for vulnerability search by name.
   • Export vulnerabilities
     On the Linux Software tab, click the icon to export and save all detected vulnerabilities to your computer. The vulnerabilities are exported to an Excel file.

     Note It may take a long time to export the vulnerabilities based on the size of vulnerability data.

View vulnerability details and handle vulnerabilities

1. Log on to the Security Center console.
2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
3. On the Linux Software tab, find the vulnerability you want to view. In the Vulnerability column, click the name of the vulnerability you want to view, or click Fix in the Actions column of the vulnerability you want to view to go to the Detail tab.
4. On the Detail tab, view and handle the vulnerability.
   Perform the following operations based on your requirements:

   • View vulnerability details

     The Detail tab displays all the affected assets and vulnerabilities associated with the vulnerability. Analyze and manage multiple vulnerabilities at a time.

     • On the Detail tab, view all vulnerabilities associated with this vulnerability, vulnerability descriptions, and vulnerability priorities.
     • On the Pending vulnerability tab, view the assets that are affected by the vulnerability.

       You can fix a vulnerability, ignore a vulnerability, or add a vulnerability to a whitelist. You can also verify or undo a fix.

     
     On the Detail tab, click an asset in the Affected Asset column to go to the Vulnerabilities tab of the Assets page. On this tab, view the information about all Linux software vulnerabilities associated with this asset.
   • View details of the Alibaba Cloud vulnerability library
     On the Detail tab, click the ID of a vulnerability you want to fix in the CVE ID column to go to the Alibaba Cloud vulnerability library.

     On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.

   • View vulnerability priorities
     Vulnerability priorities are marked in different colors:

     • Red: High
     • Orange: Medium
     • Gray: Low
     Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
   • View processes related to vulnerability fixing
     On the Pending vulnerability tab, click the icon in the Related process column to view processes related to the vulnerability. On the pane that appears, you can view the processes or business systems that may be affected by fixing the vulnerability.
   • View the vulnerability status

     Valid values:

     • Handled
       • Handled: The vulnerability is fixed.
       • Ignored: The vulnerability is ignored. Security Center no longer generates alerts when this vulnerability is detected.
       Note For a Handled vulnerability, you can click Rollback in the Actions column. After you undo a vulnerability fix, the vulnerability status changes to Unhandled.
     • Unhandled
       • Unfixed: The vulnerability is to be fixed.
       • Fixing: The vulnerability is being fixed.
       • Fix Failed: Security Center failed to fix the vulnerability. The file that contains vulnerabilities data may have been modified or does not exist.
       • Handled (To Be Restarted): The vulnerability has been fixed, and you must restart the system for the fix to take effect.
       • Verifying: The vulnerability has been fixed. If a system restart is required, you can verify the fix after you restart the system.
   • Handle vulnerabilities of the affected assets

     On the Pending vulnerability tab, you can fix, verify, or ignore vulnerabilities. You can also undo vulnerability fixes or add vulnerabilities to a whitelist.

     

     You can perform the following operations as needed:

     • Fix vulnerabilities
       Fix vulnerabilities based on the following scenarios:

       • The Fix button is available

         Select one or more associated vulnerabilities and click Fix. Security Center automatically creates snapshots and fixes vulnerabilities. You can select Create snapshots automatically and fix or Skip snapshot backup and fix directly as needed.

         Note

         • The system may fail to fix a vulnerability. We recommend that you select Create snapshots automatically and fix to create a snapshot of the system before you click Fix Now. For more information about snapshots, see Snapshot overview.
         • You are billed based on the billing methods of the snapshot service.For example, if the size of the system disk is 40 GB, the fees for snapshot storage are USD 0.15 per day. For more information, see Snapshot billing.
         
       • The Fix button is unavailable
         For outdated or commercial operating systems, you must manually upgrade the operating system to fix vulnerabilities. To view suggestions for upgrading operating system, move the pointer over the Fix button.

         Note If you use one of the following operating systems, you must upgrade your operating system to fix vulnerabilities at a time:

         • Red Hat 5, Red Hat 6, Red Hat 7, and Red Hat 8
         • CentOS 5
         • Ubuntu 12
     • Restart the system
       You must restart the system after you fix Linux kernel vulnerabilities. Choose one of the following methods to restart the system:

       • We recommend that you click Restart on the Detail tab.
         Note If the system has vulnerabilities in the fixing or verifying state, you cannot restart the system. If you click Restart, an error message appears, which indicates that the system restart fails. Before you restart a system, make sure that the system has no vulnerabilities in the fixing or verifying state.
       • Alternatively, you can run the required command in the Linux system to restart the system.
     • Verify a vulnerability fix

       Select a vulnerability or multiple associated vulnerabilities and click Verify to check whether the vulnerability is fixed.

       After you click Verify, the Status of the vulnerability changes to Verifying. It takes several seconds to verify the fix.

     • Add a vulnerability to the whitelist

       In the upper-right corner of the Detail tab, click Add to Whitelist to add a vulnerability to the whitelist. After you add the vulnerability to the whitelist, Security Center no longer generates alerts when this vulnerability is detected.

       Vulnerabilities in the whitelist are removed from the Vulnerability column of the Linux Software tab and are displayed in the Vul Whitelist column on the Settings pane.

       If you want Security Center to detect and generate alerts on a vulnerability that is added to the whitelist, select the vulnerability in the Vul Whitelist column on the Settings pane and click Remove.

     • Ignore a vulnerability

       On the Detail tab, select the vulnerability you want to ignore, click the icon in the Actions column, and then select Ignore. After a vulnerability is ignored, Security Center no longer generates alerts when this vulnerability is detected.

       Note The status of this vulnerability changes to Ignored. If you want Security Center to generate alerts on an ignored vulnerability, click the vulnerability in the Handled vulnerability list and click Unignore on the Detail tab.
     • Undo a vulnerability fix

       Select the vulnerability of which you want to undo the fix, click the icon, and then select Rollback. In the dialog box that appears, select the snapshot based on which you want to undo a fix and click OK.

       
   • Filter affected assets

     On the Pending vulnerability tab, you can filter affected assets by vulnerability priority (high, medium, or low), asset group, vulnerability status (handled or unhandled), server IP address, VPC name, or server name.

     
     Note Fuzzy match is supported for affected assets search by server IP address or name.
   • Export affected assets
     In the upper-left corner of the Pending vulnerability tab, click the icon to export and save all affected assets to your computer. The assets are exported to an Excel file.

     Note It may take a long time to export the assets based on the size of asset data.
   • Save filtered vulnerabilities

     In the upper-left corner of the Pending vulnerability tab, click the icon to save the filtered vulnerabilities as a group. This way, you can keep monitoring the vulnerability status of this group.

     

Description of the Detail tab