After a user fixes a Linux kernel vulnerability in the Security Center console, a system restart is required so that the vulnerability can be fixed. After I restart the system or my Elastic Compute Service (ECS) instance, the status of the vulnerability changes to Handled (To Be Restarted) in the Security Center console. I cannot check whether the vulnerability is fixed.
After you fix kernel vulnerabilities on a server that uses the Ubuntu kernel, the latest kernel is not used when the system is restarted. This is because the kernel selection order in the GRUB boot menu is modified. When you install the latest kernel on the server, the system asks you whether you want to keep the existing modifications on the GRUB boot menu. You must use silent installation in which the latest kernel is prioritized during startup.
The following list introduces the solutions for different kernel settings:
- If you want to retain the default settings of the latest kernel rather than the original GRUB boot menu configurations, specify the following environment variable before you run the command to fix vulnerabilities. This way, the system automatically uses the default settings.
- If you do not want to use the default settings of the latest kernel, manually modify the kernel selection order in the GRUB boot menu. For more information, see How do I modify the boot sequence of the Linux kernel?
- Best practices for mining procedures
- Linux software vulnerability fixing best practices
- Windows RDP remote code Executes High Risk Vulnerability (CVE-2019-0708) Fix Best Practices
- Security Center