This topic describes the recommended measures for fixing software vulnerabilities. These measures ensure effective and reliable vulnerability fixes.

Note The measures can be used to fix vulnerabilities detected in operating systems, network devices, databases, and middleware on servers.

Procedure of fixing software vulnerabilities

Expertise on software security is required to fix software vulnerabilities on your servers. You must follow these steps to fix software vulnerabilities:

Before the fix

  • Check all assets on the target server and log on to Security Center to check the vulnerabilities on the server.
  • Determine which vulnerabilities need to be fixed. You do not have to fix all vulnerabilities at the earliest opportunity. You can select servers based on the business status, server resource usage, and impacts caused by vulnerability fixes.
  • Upload vulnerability patches to the testing environment, test the compatibility and security of these patches, and then generate a vulnerability fix testing report. A testing report must contain the vulnerability fix result, fix duration, patch compatibility, and impacts caused by the vulnerability fix.
  • Use the backup and recovery system to back up the data on the server in case of exceptions. For example, you can use the snapshot feature of ECS to create a snapshot of the target ECS instance.

During the fix

  • Upload vulnerability patches to the server and use the patches to fix vulnerabilities. This task requires a minimum of two administrators. One administrator is responsible for vulnerability fixes and the other one is responsible for recording the operations. Exercise caution when you fix vulnerabilities.
  • Follow the system vulnerability list to upgrade the system and fix vulnerabilities.

After the fix

  • Validate the vulnerability fixes on the server. Make sure that the vulnerabilities are fixed and that no exception occurs on the server.
  • Generate a vulnerability fix report based on the entire vulnerability fix process and archive the relevant documents.

Risk prevention

To make sure that the target server runs properly during the vulnerability fix process and minimize the possibility of exceptions, perform the following operations:

  • Develop a vulnerability fix plan

    Research the operating system and applications of the target server and develop an applicable plan. The feasibility of the plan must be discussed and verified in a testing environment. Make sure all operations in the vulnerability fix plan are performed and do not have negative impacts on the target server.

  • Test the vulnerability fix plan

    You must use a testing environment to verify the feasibility of your vulnerability fix plan. Make sure that the plan has no negative impacts on the online business system to be fixed.

    Requirements for the testing environment:

    • The operating system and database system in the testing environment must be the same as those in the online business system.
    • The application system in the testing environment must be the same as that in the online business system.
    • We recommend that you use the last full backup of the online business system as the test data.
  • Back up the business system

    Back up the entire business system, including the operating system, applications, and data. Then, verify that the backup data can be used to restore the system. If your system encounters an error or data loss, the system backup is used to restore the system. This ensures business stability. We recommend that you allow Security Center to automatically create snapshots to quickly back up your business system before fixing vulnerabilities.

    Note Security Center automatically creates a system snapshot of your server only if the vulnerability to be fixed is a Linux software vulnerability or a Windows system vulnerability.