Security Center can detect and fix Linux software vulnerabilities. This topic describes how to view and manage Linux software vulnerabilities.

Background information

The Basic edition of Security Center only scans for vulnerabilities, but does not fix them. To use Security Center to fix vulnerabilities, you must activate the Advanced or Enterprise edition. For more information about features supported by each edition, see Features.

View vulnerability information

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Linux Software tab, you can view the vulnerabilities detected in Linux software. The name of a vulnerability starts with USN, RHSA, or CVE.
    • View vulnerability updatesView vulnerability updates
    • View vulnerability priorities
      The number of vulnerabilities that have different priorities are displayed in different colors.
      • Red: High priority.
      • Orange: Medium priority.
      • Gray: Low priority.
      View vulnerability priorities
      Note We recommend that you fix High priority vulnerabilities immediately.
    • Add vulnerabilities to the whitelist

      On the Linux Software tab, select one or more target vulnerabilities and click Add to Whitelist to add them to the whitelist. After the target vulnerabilities are added to the whitelist, Security Center no longer generates alerts when they are detected.

      Add vulnerabilities to the whitelist

      Vulnerabilities that are added to the whitelist are removed from the vulnerability list on the Linux Software tab. Click Settings in the upper-right corner to view these vulnerabilities in the Vul Whitelist list.

      If you want Security Center to detect and generate alerts on a vulnerability that is already added to the whitelist, select the vulnerability on the Settings page and click Remove to remove the vulnerability from the whitelist.

      The Settings page
    • Filter vulnerabilities

      On the Linux Software tab, filter vulnerabilities by priority (high, medium, and low), vulnerability status (handled, unhandled), asset group, or vulnerability name.

      Filter vulnerabilities
      Note Fuzzy match for vulnerability names is supported.
    • Export vulnerabilities
      On the Linux Software tab, click The Export icon to export records of all Linux software vulnerabilities to your local computer. The vulnerability records are exported to an Excel file.
      Note It may take some time to export the vulnerability records, depending on the file size.

View vulnerability details and manage vulnerabilities

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Linux Software tab, find the target vulnerability. Click the name of the Vulnerability or Fix in the Actions column to open the Detail tab.
    View the Detail of the vulnerability, the number of Pending vulnerabilities, and the assets that are exposed to the pending vulnerabilities.Linux software vulnerabilities
  4. On the Detail tab, view and manage vulnerabilities.
    Perform the following operations as needed:
    • View vulnerability details

      The Detail tab displays information about related vulnerabilities and assets that are exposed to these vulnerabilities. You can analyze and manage multiple vulnerabilities simultaneously.

      • The Detail tab displays the related vulnerabilities, vulnerability descriptions, and priority of each vulnerability.
      • The Pending vulnerability tab displays the assets that are exposed to the vulnerabilities.

        You can view all the assets exposed to the vulnerabilities and the vulnerability status. You can also verify, fix, and ignore vulnerabilities. In addition, you can undo fixes, and add vulnerabilities to the whitelist.

      Manage vulnerabilities
      On the Pending vulnerability tab, click an asset name in the Affected Assets column to go to the Assets > Vulnerabilities page. This page displays all vulnerabilities related to this asset.Vulnerability details
    • View vulnerability details in the Alibaba Cloud vulnerability library
      On the Detail tab, find the target vulnerability and click the CVE ID to go to the Alibaba Cloud vulnerability library.CVE ID

      This library displays detailed information about the vulnerability, including the vulnerability description, basic information, and solutions to fix the vulnerability.

    • View vulnerability priorities
      Vulnerability priorities are displayed in different colors:
      • Red: High priority.
      • Orange: Medium priority.
      • Gray: Low priority.
      Note We recommend that you fix High priority vulnerabilities immediately.
    • View processes related to vulnerability fixing
      On the Pending Vulnerability tab, click the icon in the Related process column to view processes related to the vulnerability. This helps you learn about the processes and service systems that may be affected by fixing the vulnerability.Related processes
    • View vulnerability status
      • Handled
        • Fixed: The vulnerability has been fixed.
        • Ignored: The vulnerability is Ignored. Security Center no longer generates alerts upon this vulnerability.
        Note For Handled vulnerabilities, you can Undo Fix. After you undo the fix, the vulnerability status changes to Unhandled.
      • Unhandled
        • Unfixed: The vulnerability has not been fixed.
        • Fixing: The vulnerability is being fixed.
        • Fix Failed: Security Center failed to fix the vulnerability. The file of the vulnerability has been modified or does not exist.
        • Handled (To Be Restarted): The vulnerability has been fixed, and a system restart is required for the fix to take effect.
        • Verifying: The vulnerability has been fixed. If the system needs to be restarted, verify the fix after the restart.
    • Manage vulnerabilities on affected assets

      On the Pending vulnerability tab, you can fix, verify, and ignore vulnerabilities. You can also undo fixes or add vulnerabilities to the whitelist.

      Manage vulnerabilities
      • Fix vulnerabilities

        Click Fix in the Actions column to fix one or more related vulnerabilities simultaneously. Security Center can fix vulnerabilities and automatically create snapshots at the same time. Select Create snapshots automatically and fix or Skip snapshot backup and fix directly as needed.

        Note
        • The system may fail to fix a vulnerability. We recommend that you select Create snapshots automatically and fix to create a snapshot of the system. For more information about snapshots, see Snapshot overview.
        • Creating snapshots incurs fees based on the usage. For a 40 GB system disk, the snapshot storage fee is approximately USD 0.15 per day. For more information about the pricing of snapshots, see Snapshot billing.
        Create snapshots and fix vulnerabilities
      • Restart the system
        You must restart the system after you fix Linux kernel vulnerabilities. Choose one of the following methods to restart the system:
        • We recommend that you click Restart on the Detail tab of the console.Restart the system
        • Alternatively, run the corresponding command in the Linux system to restart the system.
      • Verify vulnerabilities

        Click Verify to verify one or more related vulnerabilities simultaneously.

        After you click Verify, the Status of the vulnerability changes to Verifying. It takes several seconds to verify vulnerabilities.

      • Add vulnerabilities to the whitelist

        In the upper-right corner of the Detail tab, click Add to Whitelist to add the vulnerability to the whitelist. After a vulnerability is added to the whitelist, Security Center no longer generates alerts on this vulnerability.

        Vulnerabilities that are added to the whitelist are removed from the vulnerability list on the Linux Software tab. Click Settings in the upper-right corner to view these vulnerabilities in the Vul Whitelist list.

        If you want Security Center to detect and generate alerts on a vulnerability that is already added to the whitelist, select the vulnerability on the Settings page and click Remove to remove the vulnerability from the whitelist.

      • Ignore vulnerabilities

        Select the vulnerabilities to be ignored, click Ignore a vulnerability or undo a fix, and then select Ignore. Security Center no longer generates alerts upon this vulnerability.

        Note After you Ignore a vulnerability, the status of the vulnerability changes to Ignored. If you want Security Center to generate alerts on an ignored vulnerability, select the vulnerability in the Handled vulnerability list and click Cancel ignore.
      • Undo a fix

        Select the vulnerability of which you want to undo the fix, click Ignore a vulnerability or undo a fix, click Undo Fix, select the target snapshot, and then click OK.

        Undo fixes
    • Filter affected assets

      On the Pending vulnerability tab, you can filter affected assets by vulnerability priority (high, medium, and low), asset group, vulnerability status (handled and unhandled), server IP address, or server name.

      Filter affected assets
      Note Fuzzy match for server IP addresses and names is supported.
    • Export affected assets
      In the upper-left corner of the Pending vulnerability tab, click The Export icon to export affected asset records to a local computer. The asset records are exported to an Excel file.
      Note It may take some time to export the asset records, depending on the file size.
    • Save filtered vulnerabilities

      In the upper-left corner of the Pending vulnerability tab, click The Save icon to save the filtered vulnerabilities as a group. This allows you to keep monitoring the vulnerability status of this group.

      Save filtered vulnerabilities

Descriptions of the details page of a Linux software vulnerability

Item Description
CVE ID The Common Vulnerabilities and Exposures (CVE) ID of the vulnerability. The CVE system provides a reference-method for publicly known information-security vulnerabilities and exposures. You can use CVE IDs, such as CVE-2018-1123, to filter relevant information about vulnerability fixes in any CVE-compatible databases to resolve security issues.
Impact (CVSS score) The CVSS score follows the widely accepted industry standard, Common Vulnerability Scoring System. The CVSS score is calculated based on multiple attributes of the vulnerability. This score is used to quantify the severity of vulnerabilities.
In the CVSS v3.0, the severity level indicated by each score is as follows:
  • 0.0: None.
  • 0.1-3.9: Low
    • Vulnerabilities that can cause local denial of service.
    • Vulnerabilities that have minor impacts.
  • 4.0-6.9: Medium
    • Vulnerabilities that can affect users during system and user interactions.
    • Vulnerabilities that can be exploited to perform unauthorized activities.
    • Vulnerabilities that can be exploited after attackers change local configurations or obtain important information.
  • 7.0-8.9: High
    • Vulnerabilities that can be exploited to indirectly obtain permissions to your server and application systems.
    • Vulnerabilities that can be exploited to read, download, write, or delete any files.
    • Vulnerabilities that can cause sensitive data leaks.
    • Vulnerabilities that can cause service disruption or remote denial of service.
  • 9.0-10.0: Critical
    • Vulnerabilities that can be exploited to directly obtain permissions to the operating system of your server.
    • Vulnerabilities that can be exploited to directly obtain sensitive data and cause data leaks.
    • Vulnerabilities that can cause unauthorized access to sensitive information.
    • Vulnerabilities that can cause large-scale impacts.
Affected Assets The server assets that are exposed to this vulnerability, including the public and internal IP addresses of the servers.
Priority The priority of the vulnerability, including
  • High:

    We recommend that you fix high priority vulnerabilities immediately.

  • Medium:

    You can fix medium priority vulnerabilities based on your workload needs.

  • Low:

    You can fix low priority vulnerabilities based on your workload needs.

Details On the Detail tab, find the target vulnerability and click Details in the Actions column to view details of this vulnerability.
  • Fix Command: The command that can be run to fix this vulnerability.
  • Impact description:
    • Software: The version of the software on the current server.
    • Cause: the reason why the software is exposed to this vulnerability. Typically, the reason is that the current version of the software is outdated.
    • Path: The path of the software on the server.
  • Caution: Important notes, prevention tips, and links to reference documents about this vulnerability.