All Products
Search
Document Center

Security Center:FAQ about vulnerability management

Last Updated:Mar 21, 2024

This topic provides answers to some frequently asked questions about the vulnerability management feature.

FAQ about Linux software vulnerabilities

How do I view the current software version and vulnerability details?

Security Center compares the software version on your server with the software version that has Common Vulnerabilities and Exposures (CVE) to determine whether your server contains software vulnerabilities. To view vulnerability details and the current software version, you can use one of the following methods:

  • View the current software version and vulnerability details in the Security Center console

    Log on to the Security Center console. In the left-side navigation pane, choose Risk Governance > Vulnerabilities. On the Vulnerabilities page, you can view the system software version and vulnerability details. For more information about the parameters related to Linux software vulnerabilities, see Description of the panel that shows the details about a Linux software vulnerability.

  • View details of the current software version on your server

    You can run a command to view the details of the current software version.

    • CentOS and Red Hat

      Run the rpm -qa | grep xxx command. xxx specifies the name of the software package. For example, you can run the rpm -qa | grep bind-libs command to view the version details of the bind-libs software package.

    • Ubuntu and Debian

      Run the dpkg-query -W -f '${Package} -- ${Source}\n' | grep xxx command. xxx specifies the name of the software package. For example, you can run the dpkg-query -W | grep bind-libs command to view the version details of the bind-libs software package.

      Note

      If the specified software package is not found, run the dpkg-query -W command to view all the software that is installed on your server.

    After you obtain the version details of the software, compare the version details with the details of the Linux software vulnerabilities detected by Security Center. In the details of a vulnerability, Software and Cause indicate the version of the current software and the reason based on which Security Center determines that your server has the vulnerability.

    Note

    After you update a piece of software, Security Center may collect the remaining files of the old software version and generate a vulnerability alert on the remaining files. In this case, we recommend that you ignore this alert. Also, you can run the yum remove or apt-get remove command to delete the software package of the old version. Before you delete the package, make sure that the old software version is no longer required by your workloads or applications.

How do I update an Ubuntu kernel version?

Important

Risks may arise when you update the kernel version. We recommend that you follow the instructions provided in Fix software vulnerabilities.

The following example shows how to update kernel 3.1* to kernel 4.4 on Ubuntu 14.04:

  1. Run the uname -av command to confirm that the kernel version is 3.1*.

    image

  2. Run the following commands to check whether the latest kernel update package is available:

    apt list | grep linux-image-4.4.0-94-generic
    apt list | grep linux-image-extra-4.4.0-94-generic
  3. If no package is available, run the apt-get update command to obtain the latest update package.

  4. Run the following commands to install the latest update package:

    apt-get update && apt-get install linux-image-4.4.0-94-generic
    apt-get update && apt-get install linux-image-extra-4.4.0-94-generic
  5. After the update package is installed, restart the server to load the kernel.

  6. After the server is restarted, run the following commands to verify the update:

    • Run the uname -av command to query the current kernel version.

      image

    • Run the dpkg -l | grep linux-image command to query the details of the current kernel.

      image

How do I check whether a vulnerability is fixed by using Ubuntu kernel patches?

If you modified the boot sequence in the GRUB boot menu and installed a new kernel on your Ubuntu server, the new kernel is not enabled when you restart the Ubuntu server. You must configure environment variables to enable the new kernel.

After you fix an Ubuntu kernel vulnerability in the Security Center console, restart the Linux system for the vulnerability fix to take effect. If you modified the GRUB boot menu, the system does not automatically create a boot menu for the new kernel when the system is restarted. After the system is restarted, the vulnerability remains in the Handled (To Be Restarted) state, which is displayed in the Security Center console. In this case, you cannot check whether the vulnerability is fixed.修复成功待重启

If you want to use the default settings of the new kernel rather than the original GRUB boot menu configurations, specify the following environment variable on the Linux server before you run the command to fix vulnerabilities. This way, the system uses the default settings of the new kernel.

export DEBIAN_FRONTEND=noninteractive

If you do not use the default settings of the latest kernel, you can modify the GRUB boot sequence. For more information, see How do I modify the boot sequence of the Linux kernel?

Do I need to restart my server after I fix a vulnerability?

  • Windows servers:

    After you fix a Windows system vulnerability in the Security Center console, you must restart your server to validate the fix.

    This applies to all servers that run Windows.

  • Linux servers:

    After you fix a Linux kernel vulnerability in the Security Center console, you must restart your server to validate the fix. This applies if one of the following conditions are met:

    • Your server runs Linux, and the vulnerability that you fix is a Linux kernel vulnerability.

    • On the Linux Software tab, the vulnerability that you fix is tagged with Restart required. You can perform the following steps to go to the Linux Software tab: Log on to the Security Center console. In the left-side navigation pane, choose Risk Governance > Vulnerabilities.需要重启的Linux内核漏洞

What do I do if Security Center continues to send a vulnerability alert to me after I update the kernel?

This issue may occur if the remaining files of the old kernel version exist. If you confirm that the alert is triggered due to the remaining files of the old kernel version, you can ignore this alert or delete the remaining files. To fix this issue, you can perform the following steps:

  1. After the kernel is updated, run the uname -av and cat /proc/version commands to view the current kernel version. Make sure that the current kernel version meets the requirement that is described in the vulnerability details.

  2. Run the cat /etc/grub.conf command to query the configuration file. Make sure that the current system uses the latest kernel version.

  3. Security Center determines whether your server contains Linux software vulnerabilities based on the kernel version. If your system contains the Package Manager (RPM) package of the old kernel version, the package is detected by Security Center, which then generates an alert. Make sure that your system does not contain the RPM package of the old kernel version. If your system contains the RPM package of the old kernel version, delete the package.

    Note

    Before you delete the RPM package of the old kernel version, make sure that the current system uses the latest kernel version. We recommend that you create a snapshot of your system before you delete the RPM package of the old kernel version. If exceptions occur, you can use the snapshot to restore your system.

If you do not want to delete the RPM package of the old kernel version, you can perform the following steps to ignore the alerts that are generated on the old kernel version. Before you ignore the alerts, make sure that the current system uses the latest kernel version.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Risk Governance > Vulnerabilities.

  3. Click the Linux Software tab, find the required vulnerability, and then click the vulnerability name. The panel that displays the vulnerability details appears.

  4. In the Actions column, click the 更多图标 icon and select Ignore.

What do I do If no update is released for the software package that has a vulnerability?

If no official update is available for the software package that has a vulnerability, you cannot fix the vulnerability in the Security Center console. In this case, you can perform the following operations to fix the vulnerability:

  • You may receive one of the following messages when you update software to fix a vulnerability:

    Package xxx already installed and latest version
    Nothing to do

    Or

    No Packages marked for Update

    In this case, wait until an official update of the software package is available.

    The following software packages do not have available updates:

    • Gnutls

    • Libnl

    • MariaDB

  • After you update the software package to the latest version, the software package may still fail to meet the version requirement that is described in the Security Center console.

    In this case, check whether the operating system version of your server is supported. For example, since September 1, 2017, CentOS 6.2 to 6.6 and CentOS 7.1 are no longer supported. If your operating system version is not supported, we recommend that you ignore the vulnerability in the Security Center console or update the operating system of your server. If you ignore the vulnerability, the risk may still exist.

FAQ about vulnerability fixing

How do I fix vulnerabilities?

Security Center can detect Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, application vulnerabilities, and urgent vulnerabilities. However, Security Center can fix only Linux software vulnerabilities, Windows system vulnerabilities, and Web-CMS vulnerabilities.

The capabilities of the vulnerability fixing feature vary based on the edition of Security Center. Before you can fix a vulnerability in the Security Center console with a few clicks, you must enable the vulnerability fixing feature. For more information, see Purchase the vulnerability fixing feature.

To fix a vulnerability, perform the following steps: Log on to the Security Center console. In the left-side navigation pane, choose Risk Governance > Vulnerabilities. On the Vulnerabilities page, find the Linux software vulnerability, Windows system vulnerability, or Web-CMS vulnerability that you want to fix and click Fix in the Actions column. For a Linux software vulnerability or Windows system vulnerability, you can create snapshots. After you fix the vulnerability and the vulnerability status changes to Fixed and To Be Restarted, you must restart your server as prompted and then check whether the vulnerability is fixed.

For urgent vulnerabilities and application vulnerabilities, you can manually fix the vulnerabilities based on the fix suggestions that are provided in the vulnerability details panel. After you fix a vulnerability, you can check whether the vulnerability is fixed on the Vulnerabilities page.

Why is the Fix button dimmed when I fix a vulnerability?

  • The Fix button for a Linux software vulnerability is dimmed

    • For specific outdated or commercial operating systems, you must manually upgrade the operating systems to fix vulnerabilities.

      Note

      If you use one of the following operating systems, you must upgrade your operating system to fix vulnerabilities:

      • Red Hat 5, Red Hat 6, Red Hat 7, and Red Hat 8

      • CentOS 5

      • Ubuntu 12

      • All versions of Debian

    • Linux software vulnerabilities may fail to be fixed due to issues, such as insufficient disk space on your server or unauthorized access to files. Before you fix Linux software vulnerabilities in the Security Center console, you must manually handle the issues on the server. The following list describes these issues and solutions:

      • The disk space is less than 3 GB.

        Solution: Resize or clear the disk. Then, fix the vulnerabilities again in the Security Center console.

      • The apt-get or APT/YUM process is running.

        Solution: Wait until the process is complete, or manually stop the process. Then, fix the vulnerability again in the Security Center console.

      • The system prompts insufficient permissions on running the APT, YUM, or RPM command.

        Solution: Check and manage access permissions on the files. We recommend that you set file permissions to 755, and make sure that the file owner is the root user. Then, fix the vulnerability again in the Security Center console.

        Note

        After you set file permissions to 755, the file owner has the read, write, and execute permissions on the file. Other users and the user group to which the file owner belongs have read and execute permissions on the file.

  • The Fix button for a Windows system vulnerability is dimmed

    If the disk space of a server is insufficient or the Windows Update service is running, Windows system vulnerabilities fail to be fixed and the Fix button is dimmed. Before you fix Windows system vulnerabilities in the Security Center console, you must manually handle the issues on the server. To view the server issues and solutions provided by Security Center, move the pointer over the Fix button. The following list describes these issues and solutions:

    • The Windows Update service is running.

      Solution: Wait for a few minutes and fix the vulnerabilities again. Alternatively, terminate the Wusa process on the server and fix the vulnerabilities again in the Security Center console.

    • The Windows Update service is disabled.

      Solution: Start Task Manager of the server and enable the Windows Update service. Then, fix the vulnerabilities again in the Security Center console.

    • The server disk space is less than 500 MB.

      Solution: Resize or clear the disk. Then, fix the vulnerabilities again in the Security Center console.

Linux software vulnerabilities and Windows system vulnerabilities fail to be fixed. Why?

If the system prompts that a fix failed when you fix a Linux software vulnerability or a Windows system vulnerability in the Security Center console, follow the instructions in the following table to troubleshoot the failure.

Note

We recommend that you identify the cause of a fix failure by following the instructions in the table from top to bottom.

Cause

Description

Solution

The Security Center agent of the server on which the vulnerability is detected is disconnected from Alibaba Cloud.

If the Security Center agent is disconnected from Alibaba Cloud, the vulnerability fix fails. Specific issues may cause the Security Center agent to be disconnected from Alibaba Cloud. For example, the network connection between the server and Security Center is abnormal, or the CPU utilization or memory usage of the server is excessively high.

Troubleshoot the Security Center agent disconnection. For more information, see Troubleshoot why the Security Center agent is offline.

The disk or memory space of the server on which the vulnerability is detected is insufficient.

If the disk does not have sufficient space, Security Center cannot download the patch package that is required to fix the vulnerability.

To troubleshoot this failure, perform the following steps:

  1. Increase the storage space of the server or delete unnecessary files from the server.

  2. Check whether the server can provide sufficient space. If yes, fix the vulnerability again in the Security Center console.

No permissions are granted to read or write the disk file system of the server on which the vulnerability is detected.

If you do not have the read and write permissions on the disk file system, Security Center cannot download the patch package that is required to fix the vulnerability.

To troubleshoot this failure, perform the following steps:

  1. Obtain the read and write permissions on the disk file system.

  2. After you obtain the permissions, fix the vulnerability again in the Security Center console.

Linux software vulnerability: Configuration errors occur in the system update source for the server on which the vulnerability is detected.

If configuration errors occur in the system update source or the YUM repositories are not updated to the latest version, Security Center cannot install the updates as expected.

To troubleshoot this failure, perform the following steps:

  1. Reconfigure the system update source. The following methods are available:

    • Log on to the Security Center console and go to the Vulnerabilities page. In the upper-right corner of the page, click Settings. In the panel that appears, turn on Priority to use Alibaba Cloud source for YUM/APT Source Configuration.

      After you turn on the switch, Security Center automatically uses the YUM or APT source of Alibaba Cloud to download the update and fix the vulnerability. This increases the success rate of vulnerability fixes.

    • Make sure that the YUM repositories are up-to-date.

  2. Fix the vulnerability again in the Security Center console.

Linux software vulnerability: The RPM database is corrupted.

If the RPM database is corrupted, Security Center cannot install the software package that is required to fix the vulnerability.

To troubleshoot this failure, perform the following steps:

  1. Run the rm -f /var/lib/rpm/_db.* command to delete the RPM lock file.

  2. Run the rpm -rebuilddb command to rebuild the RPM database.

Note

This command may take a long time to run.

Windows system vulnerability: The prepatch for the vulnerability is missing.

If the prepatch for the vulnerability is missing, the vulnerability fix may fail.

To troubleshoot this failure, perform the following steps:

  1. Install the prepatch.

  2. After the prepatch is installed, fix the vulnerability again in the Security Center console.

Windows system vulnerability: The Windows Update or Windows Modules Installer service is disabled on the server on which the vulnerability is detected.

If the Windows Update or Windows Modules Installer service is disabled, Security Center cannot download the patch package that is required to update the server system.

To troubleshoot this failure, perform the following steps:

  1. Enable the Windows Update and Windows Modules Installer services.

  2. Fix the vulnerability again in the Security Center console.

Windows system vulnerability: Errors occur during the downloading and installation of the patch package that is required to fix the vulnerability.

If the patch package is not found or is incompatible with the server operating system, the vulnerability fix may fail.

To troubleshoot this failure, perform the following operations:

  • The patch package is not found.

    Download the patch package again. Then, fix the vulnerability.

  • The patch package is incompatible with the server operating system.

    Log on to the Security Center console and ignore the vulnerability on the Vulnerabilities page.

  • Another patch is being installed.

    You cannot install two patches at the same time. We recommend that you fix the vulnerability after the current patch is installed.

Windows system vulnerability: Other errors occur on the server.

None.

To troubleshoot this failure, perform the following operations:

Web-CMS vulnerabilities fail to be fixed. Why?

If the system prompts that a fix failed when you fix a Web-CMS vulnerability in the Security Center console, follow the instructions in the following table to troubleshoot the failure.

Note

We recommend that you identify the cause of a fix failure by following the instructions in the table from top to bottom.

Cause

Description

Solution

The network connection is abnormal.

The network connection between the server and Security Center is abnormal. In this case, the Security Center agent is disconnected from Alibaba Cloud. This causes the vulnerability fix to fail.

Fix the network connection error to bring the Security Center agent online. For more information, see Troubleshoot why the Security Center agent is offline.

The Security Center agent of the server on which the vulnerability is detected is disconnected from Alibaba Cloud.

If the Security Center agent is disconnected from Alibaba Cloud, the vulnerability fix fails. Specific issues may cause the Security Center agent to be disconnected from Alibaba Cloud. For example, the network connection between the server and Security Center is abnormal, or the CPU utilization or memory usage of the server is excessively high.

Troubleshoot the Security Center agent disconnection. For more information, see Troubleshoot why the Security Center agent is offline.

The disk or memory space of the server on which the vulnerability is detected is insufficient.

If the disk does not have sufficient space, Security Center cannot download the patch package that is required to fix the vulnerability.

To troubleshoot this failure, perform the following steps:

  1. Increase the storage space of the server or delete unnecessary files from the server.

  2. Check whether the server can provide sufficient space. If yes, fix the vulnerability again in the Security Center console.

Third-party security software is installed on the server on which the vulnerability is detected.

If security software, such as SafeDog, is installed on the server and you have optimized directory permissions or modified relevant settings by using the software, the system account may not have permissions to write the files in the www directory and its subdirectories. As a result, the vulnerability fix may fail.

Check whether the system account has the read and write permissions on the www directory and its subdirectories. If no, manually grant the permissions to the system account.

The vulnerability file does not exist.

If the vulnerability file is deleted, Security Center prompts that the fix failed.

To troubleshoot this failure, perform the following steps:

  1. Check whether the vulnerability file is deleted from the required server directory, which can be obtained from the vulnerability details in the Security Center console.

  2. If the vulnerability file is deleted, ignore the vulnerability.

After I fix a vulnerability, the vulnerability is still in the Unfixed state. Why?

After you fix a vulnerability, the status of the vulnerability is not automatically updated. The status is updated only after you perform a vulnerability scan. The following list describes possible causes and solutions. The causes and solutions vary based on the Security Center edition.

  • Basic and Anti-virus: The vulnerability is still in the Unfixed state because latency exists in vulnerability scans. Security Center automatically scans for vulnerabilities every two days. We recommend that you check the status of the vulnerability two days after you fix the vulnerability.

  • Advanced, Enterprise, and Ultimate: After you fix the vulnerability, you must manually perform a vulnerability scan. After the vulnerability scan is complete, you can view the latest status of the vulnerability. For more information, see Scan for vulnerabilities.

Does Security Center automatically fix vulnerabilities?

No, Security Center does not automatically fix vulnerabilities. Security Center supports only the vulnerability detection and quick fixing features. After you enable the quick fixing feature, Security Center delivers vulnerability fixing tasks online. When Security Center scans for vulnerabilities, Security Center also verifies whether the vulnerabilities are fixed. If a previously detected vulnerability is not detected in the vulnerability scan, Security Center changes the status of the vulnerability to Fixed. A previously detected vulnerability may not be detected in the vulnerability scan due to the following reasons: You logged on to the server on which the vulnerability is detected and manually updated the software package. The container on which the vulnerability is detected stops running. The components of the vulnerability do not exist. The process on which the vulnerability is detected does not exist.

I want to fix multiple vulnerabilities at a time in the Security Center console. What is the fixing order?

Linux software vulnerabilities and Web-CMS vulnerabilities are fixed based on the order of vulnerabilities on the vulnerability list in the Security Center console. For specific Windows system vulnerabilities, pre-patches are required before Security Center can fix the vulnerabilities. When multiple Windows system vulnerabilities are fixed, vulnerabilities that require pre-patches are fixed before other vulnerabilities. Other vulnerabilities are fixed based on the order of vulnerabilities on the vulnerability list in the Security Center console.

Why am I unable to create a snapshot when I fix a vulnerability? What do I do?

When you fix a vulnerability, you may fail to create a snapshot due to the following reasons:

  • A RAM user is used to fix the vulnerability: If the RAM user is not granted the permissions to create a snapshot, the Security Center console prompts that you cannot create a snapshot. We recommend that you use an Alibaba Cloud account to create a snapshot. For more information about RAM users, see Overview of RAM users.

  • Your server is not deployed on Alibaba Cloud: You can create snapshots to fix vulnerabilities only when your server is deployed on Alibaba Cloud.

Why does Security Center continue to send alerts to me after I fix vulnerabilities? What do I do?

This issue occurs because your server is not restarted and the restart is required after you fix vulnerabilities. The vulnerabilities refer to Linux kernel vulnerabilities in this situation. To restart your server, go to the panel that displays vulnerability details and click Restart in the Actions column. After your server is restarted, you can click Verify in the Actions column. If the status of the vulnerability changes to Handled, the vulnerability is fixed.

What do I do if the "An error occurred while obtaining the permission. Check the permission and try again." message appears when I fix a vulnerability?

This issue occurs because your account does not have permissions to manage the file required to fix the vulnerability. We recommend that you find the vulnerability that you want to fix in the Security Center console and click the vulnerability name. In the panel that appears, view the details of the vulnerability and check whether the owner of the file is the root user. If the owner is not the root user, you must change the owner to the root user. Then, you can return to the Security Center console to fix the vulnerability.

Why are the records of detected vulnerabilities still displayed in the Security Center console after the Security Center agent is disabled or disconnected from Alibaba Cloud?

After the Security Center agent is disabled or disconnected from Alibaba Cloud, the system retains the records of detected vulnerabilities in the Security Center console.

If the Security Center agent is disabled or disconnected from Alibaba Cloud, the alerts generated for all detected system vulnerabilities become invalid after 3 days, the alerts generated for all detected Web-CMS vulnerabilities become invalid after 7 days, the alerts generated for all detected application vulnerabilities become invalid after 30 days, and the alerts generated for all detected urgent vulnerabilities become invalid after 90 days. In this case, you cannot perform operations on the vulnerabilities. For example, you cannot fix the vulnerabilities or delete the records of the vulnerabilities.

If you do not renew Security Center within seven days after Security Center expires, your data is released and deleted, and the detected vulnerabilities are no longer displayed.

How do I delete a patch that is required to fix a Windows system vulnerability from the directory of the Security Center agent?

After you fix a Windows system vulnerability by using the quick fixing feature, the Security Center agent automatically downloads, installs, and then deletes the patch. If the Security Center agent does not delete the patch three days after the vulnerability is fixed, perform the following steps to manually delete the patch:

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Feature Settings.

  3. If you enabled client protection, click the required server on the Host page and disable client protection on the server details page.

    If client protection was never enabled, skip this step and go to the next step.

    If client protection is enabled, all process files in the directory of the Security Center agent are protected. In this case, Security Center rejects your requests to delete or download a process file from the directory of the Security Center agent.

    image.png

  4. Log on to your server as an administrator.

  5. Find the patch and manually delete the patch.

    The path of the patch is C:\Program Files (x86)\Alibaba\Aegis\globalcfg\hotfix.

  6. Optional. On the server details page, turn on Client Protection.

How do I handle a connection timeout between my server and the YUM repository of Alibaba Cloud?

If a connection times out, the following error message appears:

[Errno 12] Timeout on http://mirrors.aliyun.com/centos/6/os/x86_64/repodata/repomd.xml: (28, 'connect() timed out!')

Make sure that the DNS settings of your server are correct, and wait a while. If the issue persists, submit a ticket to contact technical support.

The "Invalid token" error message appears when I fix a vulnerability. What do I do?

If you receive the Invalid token error message in the Security Center console, you can refresh the current page and log on to the console again.

Note

You can press Ctrl+F5 to forcefully refresh the current page.

Can Security Center automatically verify the fix of a vulnerability that requires a system restart?

No, Security Center cannot automatically verify the fix of a vulnerability that requires a system restart.

If a vulnerability is fixed and a system restart is required to verify the fix, the status of the vulnerability is Fixed and Pending Restarted. In this case, perform a server restart in the Security Center console or manually restart the server. After the server is restarted, you can click Verify to check whether the vulnerability is fixed.

image.png

Security Center periodically scans for vulnerabilities. If you do not verify the fix of the vulnerability after the server is restarted, Security Center no longer detects the vulnerability on your server. In this case, Security Center retains the information about these vulnerabilities for three days. Make sure that networks work as expected and no other factors affect vulnerability detection. After three days, the vulnerability information is deleted.

If your Security Center expires and you do not renew Security Center within seven days after expiration, your data in the Security Center console is released and deleted. In this case, Security Center is downgraded to the Basic edition, and Security Center allows you to view vulnerabilities other than application vulnerabilities.

Why does the state of a vulnerability remain unchanged when I verify the vulnerability fix?

After you run the command generated by Security Center to fix a Linux software vulnerability, the Linux software is updated. The new software version meets the requirement described on the Vulnerabilities page of the Security Center console. However, when you click Verify in the panel that displays the details of the vulnerability, the status of the vulnerability does not change to Fixed.

To handle this issue, perform the following steps:

  • Check the priorities of the vulnerabilities that are detected by Security Center

    Perform the following steps:

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

    2. In the left-side navigation pane, choose Risk Governance > Vulnerabilities.

    3. In the upper-right corner of the Vulnerabilities page, click Settings.

    4. In the Settings panel, view Vul scan level.

    If you do not select a specific priority, Security Center does not automatically update the information about the vulnerabilities that have the priority. You can select priorities based on your business requirements.

  • Check whether the Security Center agent is offline

    If the Security Center agent on your server is offline, you cannot verify vulnerability fixes on the Vulnerabilities page. We recommend that you troubleshoot why the Security Center agent is offline. Make sure that the Security Center agent on your server is online. For more information, see Troubleshoot why the Security Center agent is offline.

Why does Security Center fail to roll back a fix for a vulnerability?

If Security Center fails to roll back a fix for a vulnerability, perform the following operations:

  1. Make sure that the Security Center agent on your server is connected to Alibaba Cloud. If the Security Center agent is disconnected from Alibaba Cloud, troubleshoot the issue. For more information, see Troubleshoot why the Security Center agent is offline.

  2. Check whether the snapshots that are created when you fix the vulnerability expire or are deleted.

    If the snapshots are deleted, Security Center cannot roll back the vulnerability fix. If the snapshots exist, submit a ticket to contact technical support.

FAQ about vulnerability detection

Can Security Center detect Elasticsearch vulnerabilities?

Yes, Security Center can detect Elasticsearch vulnerabilities.

You can perform the following operations to check whether Elasticsearch vulnerabilities are detected: Log on to the Security Center console. In the left-side navigation pane, choose Risk Governance > Vulnerabilities. On the Vulnerabilities page, click the Application Vulnerability tab.

Note

Only the Enterprise and Ultimate editions of Security Center can detect application vulnerabilities. If you use the Basic, Anti-virus, or Advanced edition and you want to detect application vulnerabilities, you must upgrade Security Center to the Enterprise edition.

Why are repeated application vulnerabilities displayed for a server in the Security Center console?

Security Center detects application vulnerabilities on an application by process. The number of application vulnerabilities that can be detected on an application is equal to the number of running processes of the application that is installed on the server and contains application vulnerabilities. If an application that has application vulnerabilities is installed on a server but no processes are started for the application, no application vulnerabilities are detected.

Are my workloads affected when Security Center scans for urgent vulnerabilities?

Security Center checks whether your assets contain urgent vulnerabilities based on the preliminary detection principle. Security Center sends one or two TCP request packets to the IP addresses of all your Elastic Compute Service (ECS) or Server Load Balancer (SLB) instances. The packets do not contain malicious behavior. The feature of urgent vulnerability detection was tested on millions of IP addresses and showed highly stable and reliable performance. However, test environments cannot cover all scenarios. Therefore, unknown risks may still occur. For example, if the business logic of specific websites is vulnerable, one or two TCP request packets may cause the server to fail. In this case, your business system may be at risk.

Why are the results different when Security Center scans multiple times for fastjson urgent vulnerabilities?

Whether fastjson vulnerabilities can be detected is based on whether JAR packages are loaded. A web server loads JAR packages in dynamic or static mode. In dynamic mode, fastjson vulnerabilities can be detected only if JAR packets are running. Therefore, the scan results are different. We recommend that you scan for fastjson vulnerabilities multiple times to improve the accuracy of scan results.

How often does Security Center detect vulnerabilities?

Security Center can detect vulnerabilities such as Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, urgent vulnerabilities, and application vulnerabilities. You can fix the detected vulnerabilities. The following table lists the default scan cycle and scan mode for vulnerabilities of each type.

Type

Basic

Anti-virus

Advanced

Enterprise

Ultimate

Linux software vulnerability

An automatic scan every two days

An automatic scan every two days

An automatic scan every day

An automatic scan every day

An automatic scan every day

Windows system vulnerability

An automatic scan every two days

An automatic scan every two days

An automatic scan every day

An automatic scan every day

An automatic scan every day

Web-CMS vulnerability

An automatic scan every two days

An automatic scan every two day

An automatic scan every day

An automatic scan every day

An automatic scan every day

Application vulnerability

Not supported

Not supported

Not supported

An automatic scan every week (You can modify the automatic scan cycle.)

An automatic scan every week (You can modify the automatic scan cycle.)

Urgent vulnerability

Not supported

Not supported

Not supported (You can specify a scan cycle to perform periodic scans.)

Not supported (You can specify a scan cycle to perform periodic scans.)

Not supported (You can specify a scan cycle to perform periodic scans.)

If you want to enable or disable scans for vulnerabilities of a specific type, or modify the scan cycles for application vulnerabilities and urgent vulnerabilities, click Settings in the upper-right corner of the Vulnerabilities page. For more information, see Scan for vulnerabilities. If you want to immediately scan for vulnerabilities on your assets, you can use the quick scan feature that is provided by Security Center. For more information, see Scan for vulnerabilities.

After the vulnerability detection is complete, you can go to the Risk Governance > Vulnerabilities page of the Security Center console to view the detection results and handle vulnerabilities that are detected.

Can Security Center detect system- and application-layer vulnerabilities?

Yes, Security Center can detect system- and application-layer vulnerabilities.