Security Center detects and fixes Linux software vulnerabilities. This topic describes how to view and handle Linux software vulnerabilities.

Background information

The Basic and Basic Anti-Virus editions of Security Center only detect vulnerabilities. To use the vulnerability fix feature, you must upgrade Security Center to the Advanced or Enterprise edition. For more information about the features that are supported by each edition of Security Center, see Features.

View vulnerability information

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. In the Vulnerability column of the Linux Software tab, view the vulnerabilities detected by Security Center. In most cases, the name of a vulnerability starts with USN, RHSA, or CVE.
    • View vulnerabilitiesView vulnerabilities
    • View the priorities of vulnerabilities and the number of affected assets
      The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability. The following list describes the relationship between colors and priorities:
      • Red: High
      • Orange: Medium
      • Gray: Low
      View vulnerability priorities
      Note We recommend that you fix vulnerabilities with the High priority at the earliest opportunity.
    • Add vulnerabilities to the whitelist

      On the Linux Software tab, select one or more vulnerabilities that you want to add to the whitelist and click Add to Whitelist. After you add vulnerabilities to the whitelist, Security Center no longer generates alerts when these vulnerabilities are detected.

      Add vulnerabilities to the whitelist

      Vulnerabilities in the whitelist are removed from the Vulnerability column of the Linux Software tab and are displayed in the Vul Whitelist section in the Settings panel.

      If you want Security Center to detect and generate alerts on a vulnerability that is added to the whitelist, select the vulnerability in the Vul Whitelist section in the Settings panel and click Remove.

      Vul Whitelist
    • Fix multiple vulnerabilities at a time
      When you fix multiple vulnerabilities at a time, Security Center automatically identifies affected assets and fixes the vulnerabilities on these assets. On the Linux Software tab, select multiple vulnerabilities that you want to fix and click Batch Repair. In the Batch Repair dialog box, view the affected assets, select Create snapshots automatically and fix or Skip snapshot backup and fix directly, and then click Fix Now.Batch Repair
      Note
      • You can select only the vulnerabilities on the current page. Each page displays 10, 20, or 50 vulnerabilities. Therefore, you can fix a maximum of 50 vulnerabilities at a time.
      • For outdated or commercial operating systems, you must manually upgrade the operating system to fix vulnerabilities. Security Center cannot fix multiple vulnerabilities detected on these operating systems at a time. After you use the Batch Repair function to fix these vulnerabilities, Security Center ignores them. If you use one of the following operating systems, you must upgrade your operating system to fix multiple vulnerabilities at a time:
        • Red Hat 5, Red Hat 6, Red Hat 7, and Red Hat 8
        • CentOS 5
        • Ubuntu 12
      • The system may fail to fix a vulnerability. We recommend that you select Create snapshots automatically and fix to create a snapshot of the system before you click Fix Now. For more information about snapshots, see Overview.
      • You are billed based on the billing methods of the snapshot service.For example, if the size of the system disk is 40 GB, the fees for snapshot storage are USD 0.005 per day. For more information, see Snapshot.
    • Filter vulnerabilities

      On the Linux Software tab, filter vulnerabilities by priority (high, medium, or low), asset group, vulnerability status (handled or unhandled), vulnerability name, or VPC name.

      Filter vulnerabilities
      Note Fuzzy match is supported for vulnerability search by name.
    • Export vulnerabilities
      On the Linux Software tab, click the Export icon to export and save all detected vulnerabilities to your computer. The vulnerabilities are exported to an Excel file.
      Note The time to export the vulnerabilities varies based on the size of vulnerability data.

View vulnerability details and handle vulnerabilities

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Linux Software tab, find the vulnerability that you want to view. In the Vulnerability column, click the name of the vulnerability that you want to view, or click Fix in the Actions column of the vulnerability that you want to view to go to the details page.
  4. On the details page, view and handle the vulnerability.Linux software vulnerabilities
    Perform the following operations based on your requirements:
    • View vulnerability details

      The details page displays all the affected assets and vulnerabilities associated with the vulnerability. Analyze and handle multiple vulnerabilities at a time. You can view the following information:

      • On the Detail tab, view all vulnerabilities associated with the vulnerability, vulnerability descriptions, and vulnerability priorities.
      • On the Pending vulnerability tab, view the assets that are affected by the vulnerability.

        You can fix a vulnerability, ignore a vulnerability, or add a vulnerability to a whitelist. You can also verify or undo a fix.

      Fix vulnerabilities
      On the Detail tab, click an asset in the Affected Assets column to go to the Vulnerabilities tab of the Assets page. On this tab, view the information about all Linux software vulnerabilities associated with this asset.Vulnerabilities
    • View details of the Alibaba Cloud vulnerability library
      On the Detail tab, click the ID of a vulnerability that you want to fix in the CVE ID column to go to the Alibaba Cloud vulnerability library.CVE ID

      On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.

    • View vulnerability priorities
      Vulnerability priorities are marked in different colors:
      • Red: High
      • Orange: Medium
      • Gray: Low
      Note We recommend that you fix vulnerabilities with the High priority at the earliest opportunity.
    • View processes related to vulnerability fixing
      On the Pending vulnerability tab, click the Related process icon icon in the Related process column to view processes related to the vulnerability. In the panel that appears, you can view the processes or business systems that may be affected by fixing the vulnerability.Related process
    • View the vulnerability status

      Valid values:

      • Handled
        • Handled: The vulnerability is fixed.
        • Ignored: The vulnerability is ignored. Security Center no longer generates alerts when this vulnerability is detected.
        Note For a Handled vulnerability, you can click Rollback in the Actions column. After you undo a vulnerability fix, the vulnerability status changes to Unhandled.
      • Unhandled
        • Unfixed: The vulnerability is to be fixed.
        • Fixing: The vulnerability is being fixed.
        • Fix Failed: Security Center failed to fix the vulnerability. The file that contains vulnerability data may have been modified or does not exist.
        • Handled (To Be Restarted): The vulnerability has been fixed, and you must restart the system for the fix to take effect.
        • Verifying: The vulnerability has been fixed. If a system restart is required, you can verify the fix after you restart the system.
    • Handle vulnerabilities of the affected assets

      On the Pending vulnerability tab, you can fix, verify, or ignore vulnerabilities. You can also undo vulnerability fixes or add vulnerabilities to a whitelist.

      Fix vulnerabilities

      You can perform the following operations based on your requirements:

      • Fix vulnerabilities
        Fix vulnerabilities based on the following scenarios:
        • The Fix button is available

          Select one or more associated vulnerabilities and click Fix. Security Center automatically creates snapshots and fixes vulnerabilities. You can select Create snapshots automatically and fix or Skip snapshot backup and fix directly as required.

          Note
          • The system may fail to fix a vulnerability. We recommend that you select Create snapshots automatically and fix to create a snapshot of the system before you click Fix Now. For more information about snapshots, see Overview.
          • You are billed based on the billing methods of the snapshot service.For example, if the size of the system disk is 40 GB, the fees for snapshot storage are USD 0.005 per day. For more information, see Snapshot.
          Create snapshots automatically and fix
        • The Fix button is dimmed
          The button is dimmed in the following scenarios:
          • For outdated or commercial operating systems, you must manually upgrade the operating system to fix vulnerabilities.
            Note If you use one of the following operating systems, you must upgrade your operating system to fix vulnerabilities:
            • Red Hat 5, Red Hat 6, Red Hat 7, and Red Hat 8
            • CentOS 5
            • Ubuntu 12
          • Linux software vulnerabilities may fail to be fixed due to issues, such as insufficient disk space on your server or unauthorized access to files. Before you fix Linux software vulnerabilities in the Security Center console, you must first address the preceding issues on the server. The following list describes these issues and solutions:
            • The disk space is smaller than 3 GB.

              Solution:

            • The apt-get or APT/YUM process is running.

              Solution: Wait until the process is complete, or manually stop the process. Then, fix the vulnerability in the Security Center console.

            • Insufficient permissions to run the APT, YUM, or RPM command.
              Solution: Check and manage access permissions on the files. We recommend that you set file permissions to 755, and make sure that the file owner is the root user. Then, fix the vulnerability again in the Security Center console.
              Note After you set file permissions to 755, the file owner has the read, write, and execute permissions on the file. Other users and the user group to which the file owner belongs have only read and execute permissions on the file.

          To view server issues, move the pointer over the Fix button. The suggestions are provided by Security Center.

      • Restart the system
        After you fix Linux kernel vulnerabilities, you must restart the system. Select one of the following methods to restart the system:
        • We recommend that you click Restart on the Detail tab.Restart the system
          Note If the system has vulnerabilities in the fixing or verifying state, you cannot restart the system. In this situation, if you click Restart, an error message appears, which indicates that the system restart fails. Before you restart a system, make sure that the system has no vulnerabilities in the fixing or verifying state.
        • Alternatively, you can run the required command in the Linux system to restart the system.
      • Verify a vulnerability fix

        Select a vulnerability or multiple associated vulnerabilities and click Verify to check whether the vulnerabilities is fixed.

        After you click Verify, the Status of the vulnerability changes to Verifying. Verification of fixing takes several seconds.

      • Add a vulnerability to the whitelist

        In the upper-right corner of the details page, click Add to Whitelist to add a vulnerability to the whitelist. After you add the vulnerability to the whitelist, Security Center no longer generates alerts when this vulnerability is detected.

        Vulnerabilities in the whitelist are removed from the Vulnerability column of the Linux Software tab and are displayed in the Vul Whitelist section in the Settings panel.

        If you want Security Center to detect and generate alerts on a vulnerability that is added to the whitelist, select the vulnerability in the Vul Whitelist section in the Settings panel and click Remove.

      • Ignore a vulnerability

        On the Detail tab, find the vulnerability that you want to ignore, click the Ignore a vulnerability or undo a vulnerability fix icon in the Actions column, and then select Ignore. In the dialog box that appears, enter the description for the ignore operation and click OK. After a vulnerability is ignored, Security Center no longer generates alerts when this vulnerability is detected.

        Filter Handled vulnerabilities, find the vulnerability that is ignored and click the vulnerability to go to the details page. On the details page, move the pointer over the Ignored state in the Status column to view the description.Description for the ignore operation
        Note The status of this vulnerability changes to Ignored. If you want Security Center to generate alerts on an ignored vulnerability, find the vulnerability in the Handled vulnerability list and click Unignore on the details page.
      • Undo a vulnerability fix

        On the Detail tab, find the vulnerability for which you want to undo the fix, click the Ignore a vulnerability or undo a vulnerability fix icon in the Actions column and select Rollback. In the Rollback dialog box, select the snapshot based on which you want to undo the fix and click OK.

        Undo a vulnerability fix
    • Filter affected assets

      On the Pending vulnerability tab, you can filter affected assets by vulnerability priority (high, medium, or low), asset group, vulnerability status (handled or unhandled), server IP address, VPC name, or server name.

      Filter affected assets
      Note Fuzzy match is supported for affected assets search by server IP address or name.
    • Export affected assets
      In the upper-left corner of the Pending vulnerability tab, click the Export icon icon to export and save all affected assets to your computer. The assets are exported to an Excel file.
      Note The time to export the vulnerabilities varies based on the size of asset data.
    • Save filtered vulnerabilities

      In the upper-left corner of the Pending vulnerability tab, click the Save icon icon to save the filtered vulnerabilities as a group. This way, you can keep monitoring the vulnerability status of this group.

      Save filtered vulnerabilities

Description of the details page

Parameter Description
CVE ID The Common Vulnerabilities and Exposures (CVE) ID of the vulnerability. The CVE system provides a reference method for publicly known information-security vulnerabilities and exposures. You can use CVE IDs, such as CVE-2018-1123, to filter relevant information about vulnerability fixes in CVE-compatible databases to resolve security issues.
Impact The value of the Impact parameter is a Common Vulnerability Scoring System (CVSS) score. The CVSS score follows the widely accepted industry standard and is calculated based on a formula that depends on several attributes of the vulnerability. This score is used to determine the severity of the vulnerability.
The following list describes the severity rating scale in CVSS v3.0:
  • 0: none
  • 0.1 to 3.9: low
    • Vulnerabilities that cause local DDoS attacks
    • Vulnerabilities that have minor impacts
  • 4.0 to 6.9: medium
    • Vulnerabilities that affect users only when the system and user interacts
    • Vulnerabilities that attackers can exploit to perform unauthorized operations
    • Vulnerabilities that can be exploited after attackers change local configurations or obtain the required information
  • 7.0 to 8.9: high
    • Vulnerabilities that can be exploited to indirectly obtain permissions on your server and application systems
    • Vulnerabilities that attackers can exploit to read, download, write, or delete files
    • Vulnerabilities that cause sensitive data leaks
    • Vulnerabilities that cause service interruptions or remote DDoS attacks
  • 9.0 to 10.0: critical
    • Vulnerabilities that can be exploited to directly obtain permissions on your server
    • Vulnerabilities that can be exploited to directly obtain sensitive data and cause data leaks
    • Vulnerabilities that cause unauthorized access to sensitive data
    • Vulnerabilities that cause large-scale impacts
Affected Assets The details of assets that are affected by the vulnerability, including the public and private IP addresses of the assets.
Priority The following list describes the vulnerability priorities:
  • High:

    We recommend that you fix high priority vulnerabilities in a timely manner.

  • Medium:

    You can fix medium priority vulnerabilities based on your service requirements.

  • Low:

    You can fix or ignore low priority vulnerabilities based on your service requirements.

Detail On the Detail tab, find a vulnerability and click Details in the Actions column to view details of this vulnerability.
  • Fix Command: the command that you can run to fix the vulnerability.
  • Impact description:
    • Software: the version of the software on the current server.
    • Cause: the reason why the software has the vulnerability. In most cases, the vulnerability is detected because the current version of the software is outdated.
    • Path: the path of the software on the server.
  • Caution: important notes, prevention tips, and references for the vulnerability.