Security Center can detect and quickly fix Linux software vulnerabilities. This topic describes how to check information about Linux software vulnerabilities and how to manage them.
Background information
Check the information about vulnerabilities
- On the Linux Software page, you can view the vulnerabilities detected in Linux software. The name of a
vulnerability typically starts with USN, RHSA, or CVE.
- View vulnerability updates
- View the severity of vulnerabilities
The severity of vulnerabilities is displayed in different colors. The severity number represents the priority in which a vulnerability is fixed.
- Red represents High severity.
- Orange represents Medium severity.
- Gray represents Low severity.
Note We recommend that you fix high severity vulnerabilities immediately. - Add vulnerabilities to the whitelist
On the Linux Software tab, you can select one or more vulnerabilities and click Add to Whitelist to add the selected vulnerabilities to the whitelist. After a vulnerability is added to the whitelist, Security Center no longer generates alerts when this vulnerability is detected.
Vulnerabilities added to the whitelist are removed from the vulnerability list on the Linux Software tab. You can click Settings in the upper-right corner to view these vulnerabilities in the Vul Whitelist list.
If you want Security Center to detect and generate alerts upon a vulnerability that is already added to the whitelist, select the vulnerability on the Settings page and then click Remove to remove the vulnerability from the whitelist.
- Search for vulnerabilities
On the Linux Software tab, you can search for vulnerabilities by vulnerability severity level (high, medium, and low), vulnerability status (handled, unhandled), asset group, or vulnerability name.
Note Fuzzy match of vulnerability names is supported. - Export vulnerabilities
On the Linux Software tab, you can click the Export icon (
) to export records of all Linux software vulnerabilities to your local computer.
The vulnerabilities are exported to an Excel file.
Note It may take a long time to export the vulnerabilities, depending on the file size.
- View vulnerability updates
) to export records of all Linux software vulnerabilities to your local computer.
The vulnerabilities are exported to an Excel file.
View vulnerability details and fix vulnerabilities
- On the Linux Software tab, find the target vulnerability. Click the Vulnerability Name or Fix in the Actions column to open the details page.
On the details page, you can view the vulnerability details, the number of pending vulnerabilities, and the assets that are exposed to the pending vulnerabilities.
- You can view vulnerability details and manage vulnerabilities on the vulnerability details page, as described in the following steps.
- View vulnerability details
The vulnerability details page displays information about related vulnerabilities and assets that are exposed to these vulnerabilities. You can analyze and manage multiple vulnerabilities simultaneously.
- The Detail tab displays the related vulnerabilities, vulnerability descriptions, and severity of each vulnerability.
- The Pending Vulnerability tab displays the assets that are exposed to the vulnerabilities.
You can view all the assets exposed to the vulnerabilities and the vulnerability status. You can also verify, fix, and ignore vulnerabilities, undo fixes of vulnerabilities, and add vulnerabilities to the whitelist.
On the Pending Vulnerability tab, you can click an asset in the Affected Assets column to go to the page. This page displays all vulnerabilities related to this asset.
- View vulnerability details in the Alibaba Cloud vulnerability library
On the Detail tab, find the target vulnerability and click the CVE ID to go to the Alibaba Cloud vulnerability library.
This library displays detailed information about the vulnerability, including the vulnerability description, basic information, and solutions to fix the vulnerability.
- View vulnerability severity
The severity of vulnerabilities is displayed in different colors. Red represents High severity. Orange represents Medium severity. Grey represents Low severity.
Note We recommend that you fix high severity vulnerabilities immediately. - View processes related to vulnerability fixing
On the Pending Vulnerability tab, you can click the icon in the Related process column to view processes related to the vulnerability. This helps you learn about the processes and service systems that may be affected by fixing the vulnerability.
- View vulnerability status
- Handled
- Fixed: The vulnerability has been fixed.
- Ignored: The vulnerability is Ignored. Security Center no longer generates alerts upon this vulnerability.
Note For Handled vulnerabilities, you can choose to Undo Fix. After a fix is undone, the vulnerability status is changed to Unhandled. - Unhandled
- Unfixed: The vulnerability has not been fixed.
- Fixing: The vulnerability is being fixed.
- Fix Failed: Security Center failed to fix the vulnerability. The file of the vulnerability has been modified or does not exist.
- Handled (To Be Restarted): The vulnerability has been fixed, and a system restart is required for the fix to take effect.
- Verifying: The vulnerability has been fixed. If the system needs to be restarted, verify the fix after the restart.
- Handled
- Manage vulnerabilities on affected assets
On the Pending Vulnerability tab, you can fix, verify, and ignore vulnerabilities, undo fixes of vulnerabilities, and add vulnerabilities to the whitelist.
- Fix vulnerabilities
You can click Fix in the Actions column to fix one or more related vulnerabilities simultaneously. Security Center can automatically create snapshots and fix vulnerabilities. You can select Create snapshots automatically and fix or Skip snapshot backup and fix directly as needed.
Note- The system may fail to fix a vulnerability. We recommend that you select Create snapshots automatically and fix to create a snapshot of the system. For more information about snapshots, see Snapshot overview.
- Snapshots incur fees. Fees are calculated based on the service of the snapshot. For example, if the size of the system disk is 40 GB, the fees are USD 0.005 per day. For more information, see Snapshot billing methods.
- Verify vulnerabilities
You can click Verify to verify one or more related vulnerabilities simultaneously.
After you click Verify, the Status of the vulnerability is changed to Verifying. It takes several seconds to verify a vulnerability.
- Add vulnerabilities to the whitelist
In the upper-right corner of the Detail tab, click Add to Whitelist to add the vulnerability to the whitelist. After a vulnerability is added to the whitelist, Security Center no longer generates alerts upon this vulnerability.
Vulnerabilities added to the whitelist are removed from the vulnerability list on the Linux Software tab. You can click Settings in the upper-right corner to view these vulnerabilities in the Vul Whitelist list.
If you want Security Center to detect and generate alerts upon a vulnerability that is already added to the whitelist, select the vulnerability on the Settings page and then click Remove to remove the vulnerability from the whitelist.
- Ignore vulnerabilities
Select the target vulnerability, click
and then select Ignore. Security Center no longer alerts you of this vulnerability.
Note After you Ignore a vulnerability, the status of the vulnerability is changed to Ignored. If you want Security Center to alert you of an ignored vulnerability again, select the vulnerability in the Handled vulnerability list and click Cancel ignore. - Undo fixes of vulnerabilities
Select the target vulnerability, click
and then select Undo Fix. Select the snapshot to which you want to roll back, and click OK.
- Fix vulnerabilities
- Search for assets exposed to a vulnerability
On the Pending Vulnerability tab, you can search for affected assets by vulnerability severity (high, medium, and low), asset group, vulnerability status (handled and unhandled), server IP address, or server name.
Note Server IP addresses and names support fuzzy match. - Export affected assets
In the upper-right corner of the Pending Vulnerability tab, click the Export icon (
) to export assets exposed to a vulnerability to a local computer. The assets are
exported to an Excel file.
Note It may take a long time to export the assets, depending on the file size.
- Save filtered vulnerabilities
In the upper-right corner of the Pending Vulnerability tab, you can click
to save the filtered vulnerability as a group. This allows you to monitor the group
of vulnerabilities.
- View vulnerability details
and then select 
) to export assets exposed to a vulnerability to a local computer. The assets are
exported to an Excel file.
to save the filtered vulnerability as a group. This allows you to monitor the group
of vulnerabilities.
Description of the details page of a Linux software vulnerability
| Item | Description |
|---|---|
| CVE ID | The Common Vulnerabilities and Exposures (CVE) ID of the vulnerability. The CVE system provides a reference-method for publicly known information-security vulnerabilities and exposures. You can use CVE IDs, such as CVE-2018-1123, to quickly search for information about vulnerability fixes in any CVE-compatible databases to resolve security issues. |
| Impact (CVSS score) | The CVSS score follows the widely accepted industry standard, Common Vulnerability
Scoring System, and is calculated based on multiple attributes of the vulnerability.
This score is used to quantify the severity of vulnerabilities.
In the CVSS v3.0 rating system, the severity level indicated by each score is as follows:
|
| Affected assets | The server assets that are exposed to this vulnerability, including the public and internal IP addresses of the servers. |
| Priority | The severity of the vulnerability, including
|
| Details | On the Detail tab, you can select a vulnerability and click Details in the Actions column to view details of this vulnerability.
|