Patch high-risk vulnerabilities on your ECS instances promptly to prevent exploits such as privilege escalation and remote code execution.
After vendors release patches, malicious actors quickly develop exploits from the patch details. Apply patches as soon as they become available.
Prerequisites
Ensure that you have:
-
Host security protection enabled on your ECS instances, which activates the Security Center Free Edition
-
(For vulnerability fixing) Vulnerability fixing feature enabled in Security Center (paid)
Monitor vulnerabilities
After you enable host security protection, Security Center continuously detects known vulnerabilities on your servers and applications. By default, scans run every two days.
Set up alert notifications
Configure Notification Settings in Security Center to receive alerts when vulnerabilities are detected.
Check security notices
Regularly check Alibaba Cloud Security notices for the latest vulnerability details and recommended patches.
View scan results
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . Select the region of the target asset.
-
On the Vulnerabilities page, run a manual scan or configure automatic scans.
Fix vulnerabilities
Vulnerability fixing is a paid Security Center feature. Enable vulnerability fixing, then fix detected vulnerabilities.
Set the Snapshot Retention Period to create a snapshot before patching. This allows you to roll back if a patch causes issues.
Console
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . Click the number under High-priority Vulnerabilities (CVE). Find vulnerabilities with a status of Unfixed and a severity of High.
-
In the Actions column, click Fix. Set the Snapshot Retention Period, then click Fix Now > OK.
-
After the fix task runs, the vulnerability status changes to Fixing.
Verify the fix
After the fix completes, click Verify or wait for the next scan cycle. Confirm that the status changes to Handled or the vulnerability no longer appears. If the fix fails, troubleshoot based on the error details.
API
-
Call ModifyOperateVul to handle detected vulnerabilities.
-
Call OperateVuls to fix Linux software vulnerabilities.
See Vulnerability fixing for all vulnerability management API operations.
Check compliance posture
Use CSPM to identify ECS instances with unpatched high-risk vulnerabilities.
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . Click the Cloud Service Configuration Risk tab, find Computers with unpatched high-risk system vulnerabilities, and click Scan in the Operation column.
-
If the status is Not Passed, unpatched high-risk vulnerabilities exist. Click Details to view affected instances.