Security vulnerabilities such as buffer overflows and privilege escalation are defects introduced during operating system and software development. Attackers exploit these defects to run malicious code, steal data, escalate privileges, or gain full control of a server. Fix high-risk vulnerabilities on your Elastic Compute Service (ECS) instances promptly to prevent attacks that target publicly known vulnerabilities.
After vendors release security notices and patches, malicious actors often develop exploits based on the patch information. Apply patches as soon as they become available.
Prerequisites
Before you begin, ensure that you have:
Host security protection enabled on your ECS instances, which activates the free edition of Security Center
(For vulnerability fixing) The vulnerability fixing feature enabled in Security Center (paid feature)
Monitor vulnerabilities
After you enable host security protection, Security Center continuously detects known vulnerabilities and other security risks on your servers and applications. By default, the system scans for vulnerabilities every two days.
Set up alert notifications
Configure Notification Settings in Security Center to receive notifications when a security risk is detected.
Check Alibaba Cloud security notices
Regularly check the official Alibaba Cloud Security notices for the latest vulnerability information and recommended patches.
View scan results
Log on to the Security Center console.
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region of the asset that you want to protect.
On the Vulnerabilities page, manually scan for vulnerabilities or configure automatic vulnerability scans.
Fix vulnerabilities
Vulnerability fixing is a paid feature in Security Center. Enable the vulnerability fixing feature, and then fix the vulnerabilities detected on your instances.
During the fix process, set the Snapshot Retention Period to create a snapshot of your instance before the patch is applied. This allows you to roll back changes if a patch causes unexpected issues.
Console
Log on to the Security Center console.
In the left-side navigation pane, choose . Click the number under High-priority Vulnerabilities (CVE). A value of 0 indicates that no important vulnerabilities exist. Find vulnerabilities that have a status of Unfixed and a severity of High.
In the Actions column, click Fix. Follow the on-screen instructions to enter information, such as the Snapshot Retention Period, and then click Fix Now. After the task is created, click OK.
After the fix task runs, the vulnerability status changes to Fixing.
Verify the fix
After the task is complete, click Verify or wait for the next vulnerability scan cycle. Confirm that the vulnerability status changes to Handled or that the vulnerability no longer appears in the list. If the fix fails, troubleshoot the issue based on the information provided.
API
Call the ModifyOperateVul API operation to handle detected vulnerabilities.
Call the OperateVuls API operation to fix Linux software vulnerabilities.
For all vulnerability management OpenAPI operations, see Vulnerability fixing.
Check compliance posture
Use Cloud Security Posture Management (CSPM) to identify ECS instances with unpatched high-risk vulnerabilities.
Log on to the Security Center console.
In the left-side navigation pane, choose . Click the Cloud Service Configuration Risk tab. Find the check item named Computers with unpatched high-risk system vulnerabilities and click Scan in the Actions column.
If the status is Not Passed, instances with unfixed high-risk system vulnerabilities exist. Click Details to view the affected instances.
For more information, see Cloud Security Posture Management overview.