Operating systems and software can have security vulnerabilities, such as buffer overflows and privilege escalation, that are introduced during development. You should promptly fix high-risk security vulnerabilities on your Elastic Compute Service (ECS) instances.
Security risks
Security vulnerabilities are defects that are introduced into an operating system or software during the design and development process. Attackers can exploit these defects to run malicious code, steal data, escalate privileges, or even gain full control of a server. After vendors release security notices and patches, many malicious actors develop exploits based on the patch information. To prevent attacks that exploit publicly known vulnerabilities, you should promptly fix high-risk vulnerabilities based on the vendor's security notices.
Best practices
Monitor system and application vulnerabilities
You can discover and view vulnerabilities using Alibaba Cloud Security Center:
Discover risks: After you enable host security protection, Security Center continuously detects known vulnerabilities and other security risks in your servers and applications.
Alert notifications: In Notification Settings, you can configure Security Center to send notifications to specified recipients when it detects a security risk on an asset. This lets you handle risk events promptly and secure your assets.
Stay informed about the latest security updates to fix vulnerabilities promptly and avoid potential losses. You can also regularly check the official Alibaba Cloud Security notices to stay updated on the latest vulnerability information.
Fix vulnerabilities
Use Security Center to manage and fix application and high-risk vulnerabilities
Console
Vulnerability fixing is a paid feature. After you enable the vulnerability fixing feature, you can fix the vulnerabilities.
Log on to the Security Center console.
In the navigation pane on the left, choose . Click the number under High-priority Vulnerabilities (CVE). A value of 0 indicates that there are no important vulnerabilities. Find vulnerabilities that have a status of Unfixed and an urgency of High.
In the Actions column, click Fix. Follow the on-screen instructions to enter information, such as the Snapshot Retention Period, and then click Fix Now. After the task is created, click OK.
After the fix task runs, the vulnerability status changes to Fixing.
After the task is complete, click Verify or wait for the next vulnerability scan cycle to run. Confirm that the vulnerability status changes to Handled or that the vulnerability is no longer displayed in the list. If the fix fails, troubleshoot the issue based on the information provided.
API
Call the ModifyOperateVul API operation to handle detected vulnerabilities.
Call the OperateVuls API operation to fix Linux software vulnerabilities.
For more information about vulnerability management OpenAPI operations, see Vulnerability fixing.
Compliance
Vulnerability scans
After you enable host security protection, the free edition of Security Center is activated. By default, the system periodically scans for vulnerabilities every two days. You can view the scan results on the Vulnerability Management page:
Log on to the Security Center console.
In the navigation pane on the left, choose . In the upper-left corner of the console, select the region of the asset that you want to protect.
On the Vulnerabilities page, you can manually scan for vulnerabilities or configure automatic vulnerability scans.
Check: Check for instances with high-risk vulnerabilities
Security Center
Log on to the Security Center console.
In the navigation pane on the left, choose . Click the Cloud Product Configuration Risks tab. Find the check item named Computers with unpatched high-risk system vulnerabilities and click Scan in the Actions column.
If the status is Failed, this indicates that there are instances with unfixed high-risk system vulnerabilities. You can click Details to view the instances. For more information, see Cloud Security Posture Management overview.
Fix: Fix high-risk security vulnerabilities on instances
Fix high-risk vulnerabilities using Security Center Vulnerability Management
For more information about the operations, see Use Security Center to manage and fix application and high-risk vulnerabilities.