Security Center detects and fixes Linux software vulnerabilities. This topic describes how to view and handle Linux software vulnerabilities.

Background information

The Basic and Basic Anti-Virus editions of Security Center only detect vulnerabilities. To use the vulnerability fix feature, you must upgrade Security Center to the Advanced or Enterprise edition. For more information about the features supported by each edition of Security Center, see Features.

View vulnerability information

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. In the Vulnerability column of the Linux Software tab, view the vulnerabilities detected by Security Center. In most cases, the name of a vulnerability starts with USN, RHSA, or CVE.
    • View vulnerabilitiesView vulnerabilities
    • View the priorities of vulnerabilities and the number of affected assets
      The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability.
      • Red: High
      • Orange: Medium
      • Gray: Low
      View the priorities of vulnerabilities
      Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
    • Add vulnerabilities to the whitelist

      On the Linux Software tab, select one or more vulnerabilities you want to add to the whitelist and click Add to Whitelist. After you add vulnerabilities to the whitelist, Security Center no longer generates alerts when these vulnerabilities are detected.

      Add vulnerabilities to the whitelist

      Vulnerabilities in the whitelist are removed from the Vulnerability column of the Linux Software tab and are displayed in the Vul Whitelist column on the Settings pane.

      If you want Security Center to detect and generate alerts on a vulnerability that is added to the whitelist, select the vulnerability in the Vul Whitelist column on the Settings pane and click Remove.

      Vul Whitelist
    • Fix multiple vulnerabilities at a time
      When you fix multiple vulnerabilities at a time, the affected assets are automatically identified and the vulnerabilities on these assets are fixed. On the Linux Software tab, select multiple vulnerabilities you want to fix and click Batch Repair. In the Batch Repair dialog box, view the affected assets, select Create snapshots automatically and fix or Skip snapshot backup and fix directly, and then click Fix Now.Batch Repair
      Note
      • You can select only the vulnerabilities on the current page. Each page displays 10, 20, or 50 vulnerabilities. Therefore, you can fix a maximum of 50 vulnerabilities at a time.
      • For outdated or commercial operating systems, you must manually upgrade the operating system to fix vulnerabilities. Security Center cannot fix multiple vulnerabilities detected on these operating systems at a time. If you use the Batch Repair function to fix these vulnerabilities, Security Center ignores them. If you use one of the following operating systems, you must upgrade your operating system to fix multiple vulnerabilities at a time:
        • Red Hat 5, Red Hat 6, Red Hat 7, and Red Hat 8
        • CentOS 5
        • Ubuntu 12
      • The system may fail to fix a vulnerability. We recommend that you select Create snapshots automatically and fix to create a snapshot of the system before you click Fix Now. For more information about snapshots, see Snapshot overview.
      • You are billed based on the billing methods of the snapshot service.For example, if the size of the system disk is 40 GB, the fees for snapshot storage are USD 0.15 per day. For more information, see Snapshot billing.
    • Filter vulnerabilities

      On the Linux Software tab, filter vulnerabilities by priority (high, medium, or low), asset group, vulnerability status (handled or unhandled), vulnerability name, or VPC name.

      Filter vulnerabilities
      Note Fuzzy match is supported for vulnerability search by name.
    • Export vulnerabilities
      On the Linux Software tab, click the Export icon icon to export and save all detected vulnerabilities to your computer. The vulnerabilities are exported to an Excel file.
      Note It may take a long time to export the vulnerabilities based on the size of vulnerability data.

View vulnerability details and handle vulnerabilities

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Linux Software tab, find the vulnerability you want to view. In the Vulnerability column, click the name of the vulnerability you want to view, or click Fix in the Actions column of the vulnerability you want to view to go to the Detail tab.
  4. On the Detail tab, view and handle the vulnerability.Linux software vulnerabilities
    Perform the following operations based on your requirements:
    • View vulnerability details

      The Detail tab displays all the affected assets and vulnerabilities associated with the vulnerability. Analyze and manage multiple vulnerabilities at a time.

      • On the Detail tab, view all vulnerabilities associated with this vulnerability, vulnerability descriptions, and vulnerability priorities.
      • On the Pending vulnerability tab, view the assets that are affected by the vulnerability.

        You can fix a vulnerability, ignore a vulnerability, or add a vulnerability to a whitelist. You can also verify or undo a fix.

      Fix vulnerabilities
      On the Detail tab, click an asset in the Affected Asset column to go to the Vulnerabilities tab of the Assets page. On this tab, view the information about all Linux software vulnerabilities associated with this asset.Vulnerability information
    • View details of the Alibaba Cloud vulnerability library
      On the Detail tab, click the ID of a vulnerability you want to fix in the CVE ID column to go to the Alibaba Cloud vulnerability library.CVE ID

      On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.

    • View vulnerability priorities
      Vulnerability priorities are marked in different colors:
      • Red: High
      • Orange: Medium
      • Gray: Low
      Note We recommend that you fix High priority vulnerabilities at the earliest opportunity.
    • View processes related to vulnerability fixing
      On the Pending vulnerability tab, click the icon in the Related process column to view processes related to the vulnerability. On the pane that appears, you can view the processes or business systems that may be affected by fixing the vulnerability.Related process
    • View the vulnerability status

      Valid values:

      • Handled
        • Handled: The vulnerability is fixed.
        • Ignored: The vulnerability is ignored. Security Center no longer generates alerts when this vulnerability is detected.
        Note For a Handled vulnerability, you can click Rollback in the Actions column. After you undo a vulnerability fix, the vulnerability status changes to Unhandled.
      • Unhandled
        • Unfixed: The vulnerability is to be fixed.
        • Fixing: The vulnerability is being fixed.
        • Fix Failed: Security Center failed to fix the vulnerability. The file that contains vulnerabilities data may have been modified or does not exist.
        • Handled (To Be Restarted): The vulnerability has been fixed, and you must restart the system for the fix to take effect.
        • Verifying: The vulnerability has been fixed. If a system restart is required, you can verify the fix after you restart the system.
    • Handle vulnerabilities of the affected assets

      On the Pending vulnerability tab, you can fix, verify, or ignore vulnerabilities. You can also undo vulnerability fixes or add vulnerabilities to a whitelist.

      Handle vulnerabilities

      You can perform the following operations as needed:

      • Fix vulnerabilities
        Fix vulnerabilities based on the following scenarios:
        • The Fix button is available

          Select one or more associated vulnerabilities and click Fix. Security Center automatically creates snapshots and fixes vulnerabilities. You can select Create snapshots automatically and fix or Skip snapshot backup and fix directly as needed.

          Note
          • The system may fail to fix a vulnerability. We recommend that you select Create snapshots automatically and fix to create a snapshot of the system before you click Fix Now. For more information about snapshots, see Snapshot overview.
          • You are billed based on the billing methods of the snapshot service.For example, if the size of the system disk is 40 GB, the fees for snapshot storage are USD 0.15 per day. For more information, see Snapshot billing.
          Create snapshots automatically and fix
        • The Fix button is unavailable
          For outdated or commercial operating systems, you must manually upgrade the operating system to fix vulnerabilities. To view suggestions for upgrading operating system, move the pointer over the Fix button.
          Note If you use one of the following operating systems, you must upgrade your operating system to fix vulnerabilities at a time:
          • Red Hat 5, Red Hat 6, Red Hat 7, and Red Hat 8
          • CentOS 5
          • Ubuntu 12
      • Restart the system
        You must restart the system after you fix Linux kernel vulnerabilities. Choose one of the following methods to restart the system:
        • We recommend that you click Restart on the Detail tab.Restart the system
          Note If the system has vulnerabilities in the fixing or verifying state, you cannot restart the system. If you click Restart, an error message appears, which indicates that the system restart fails. Before you restart a system, make sure that the system has no vulnerabilities in the fixing or verifying state.
        • Alternatively, you can run the required command in the Linux system to restart the system.
      • Verify a vulnerability fix

        Select a vulnerability or multiple associated vulnerabilities and click Verify to check whether the vulnerability is fixed.

        After you click Verify, the Status of the vulnerability changes to Verifying. It takes several seconds to verify the fix.

      • Add a vulnerability to the whitelist

        In the upper-right corner of the Detail tab, click Add to Whitelist to add a vulnerability to the whitelist. After you add the vulnerability to the whitelist, Security Center no longer generates alerts when this vulnerability is detected.

        Vulnerabilities in the whitelist are removed from the Vulnerability column of the Linux Software tab and are displayed in the Vul Whitelist column on the Settings pane.

        If you want Security Center to detect and generate alerts on a vulnerability that is added to the whitelist, select the vulnerability in the Vul Whitelist column on the Settings pane and click Remove.

      • Ignore a vulnerability

        On the Detail tab, select the vulnerability you want to ignore, click the Ignore a vulnerability or undo a vulnerability fix icon in the Actions column, and then select Ignore. After a vulnerability is ignored, Security Center no longer generates alerts when this vulnerability is detected.

        Note The status of this vulnerability changes to Ignored. If you want Security Center to generate alerts on an ignored vulnerability, click the vulnerability in the Handled vulnerability list and click Unignore on the Detail tab.
      • Undo a vulnerability fix

        Select the vulnerability of which you want to undo the fix, click the Ignore a vulnerability or undo a vulnerability fix icon, and then select Rollback. In the dialog box that appears, select the snapshot based on which you want to undo a fix and click OK.

        Undo a vulnerability fix
    • Filter affected assets

      On the Pending vulnerability tab, you can filter affected assets by vulnerability priority (high, medium, or low), asset group, vulnerability status (handled or unhandled), server IP address, VPC name, or server name.

      Filter affected assets
      Note Fuzzy match is supported for affected assets search by server IP address or name.
    • Export affected assets
      In the upper-left corner of the Pending vulnerability tab, click the Export icon icon to export and save all affected assets to your computer. The assets are exported to an Excel file.
      Note It may take a long time to export the assets based on the size of asset data.
    • Save filtered vulnerabilities

      In the upper-left corner of the Pending vulnerability tab, click the Save icon icon to save the filtered vulnerabilities as a group. This way, you can keep monitoring the vulnerability status of this group.

      Save filtered vulnerabilities

Description of the Detail tab

Parameter Description
CVE ID The Common Vulnerabilities and Exposures (CVE) ID of the vulnerability. The CVE system provides a reference method for publicly known information-security vulnerabilities and exposures. You can use CVE IDs, such as CVE-2018-1123, to filter relevant information about vulnerability fixes in CVE-compatible databases to resolve security issues.
Impact The value of the Impact parameter is a Common Vulnerability Scoring System (CVSS) score. The CVSS score follows the widely accepted industry standard and is calculated based on a formula that depends on several attributes of the vulnerability. This score is used to determine the severity of the vulnerability.
The following list describes the severity rating scale in CVSS v3.0.
  • 0.0: none
  • 0.1 to 3.9: low
    • Vulnerabilities that cause local DDoS attacks
    • Vulnerabilities that have minor impacts
  • 4.0 to 6.9: medium
    • Vulnerabilities that affect users only when the system and user interacts
    • Vulnerabilities that attackers can exploit to perform unauthorized operations
    • Vulnerabilities that can be exploited after attackers change local configurations or obtain the required information
  • 7.0 to 8.9: high
    • Vulnerabilities that can be exploited to indirectly obtain permissions on your server and application systems
    • Vulnerabilities that attackers can exploit to read, download, write, or delete files
    • Vulnerabilities that cause sensitive data leaks
    • Vulnerabilities that cause service interruptions or remote DDoS attacks
  • 9.0 to 10.0: critical
    • Vulnerabilities that can be exploited to directly obtain permissions on your server
    • Vulnerabilities that can be exploited to directly obtain sensitive data and cause data leaks
    • Vulnerabilities that cause unauthorized access to sensitive data
    • Vulnerabilities that cause large-scale impacts
Affected Assets The details of assets that are affected by the vulnerability, including the public and private IP addresses of the assets.
Priority The following section describes the vulnerability priorities:
  • High:

    We recommend that you fix high priority vulnerabilities in a timely manner.

  • Medium:

    You can fix medium priority vulnerabilities based on your service requirements.

  • Low:

    You can fix or ignore low priority vulnerabilities based on your service requirements.

Detail On the Detail tab, find a vulnerability and click Details in the Actions column to view details of this vulnerability.
  • Fix Command: the command that you can run to fix the vulnerability.
  • Impact description:
    • Software: the version of the software on the current server.
    • Cause: the reason why the software has the vulnerability. In most cases, the vulnerability is detected because the current version of the software is outdated.
    • Path: the path of the software on the server.
  • Caution: important notes, prevention tips, and references for the vulnerability.