To ensure security, we recommend that you run scan tasks on your assets on a regular basis. Security Center supports automatic periodic scan tasks and manual scan tasks. This topic describes how to configure an automatic periodic scan task and how to run a manual scan task.

Types of vulnerabilities that can be detected and fixed in each edition of Security Center

Vulnerability type Feature Basic edition Anti-virus edition Advanced edition Enterprise edition Ultimate edition
Linux software vulnerability Manual vulnerability scan Cross Cross Tick Tick Tick
Periodic automatic vulnerability scan Tick(The default scan cycle is two days.) Tick(The default scan cycle is two days.) Tick(The default scan cycle is one day.) Tick(The default scan cycle is one day.) Tick(The default scan cycle is one day.)
Vulnerability fixing Cross Cross Tick Tick Tick
Windows system vulnerability Manual vulnerability scan Cross Cross Tick Tick Tick
Periodic automatic vulnerability scan Tick(The default scan cycle is two days.) Tick(The default scan cycle is two days.) Tick(The default scan cycle is one day.) Tick(The default scan cycle is one day.) Tick(The default scan cycle is one day.)
Vulnerability fixing Cross Cross Tick Tick Tick
Web-CMS vulnerability Manual vulnerability scan Cross Cross Tick Tick Tick
Periodic automatic vulnerability scan Tick(The default scan cycle is two days.) Tick(The default scan cycle is two days.) Tick(The default scan cycle is one day.) Tick(The default scan cycle is one day.) Tick(The default scan cycle is one day.)
Vulnerability fixing Cross Cross Tick Tick Tick
Application vulnerability Manual vulnerability scan Cross Cross Cross Tick Tick
Periodic automatic vulnerability scan Cross Cross Cross Tick(The default scan cycle is one week. You can specify a custom scan cycle.) Tick(The default scan cycle is one week. You can specify a custom scan cycle.)
Vulnerability fixing Cross Cross Cross Cross Cross
Urgent vulnerability Manual vulnerability scan Tick Tick Tick Tick Tick
Periodic automatic vulnerability scan Cross Cross Tick(The default scan cycle is one week. You can specify a custom scan cycle.) Tick(The default scan cycle is one week. You can specify a custom scan cycle.) Tick(The default scan cycle is one week. You can specify a custom scan cycle.)
Vulnerability fixing Cross Cross Cross Cross Cross
Security Center scans for application vulnerabilities based on the following methods:
  • Web Scanner: inspects network traffic to detect vulnerabilities in your system. For example, you can use this method to scan for SSH weak passwords and remote command execution.
  • Software Component Analysis: identifies software versions to detect vulnerabilities in your system. For example, you can use this method to scan for vulnerabilities of Apache Shiro authorization and Kubernetes kubelet resource management.

Web-CMS vulnerabilities that can be detected

Component type Check item
74CMS Multiple SQL injection vulnerabilities in 74CMS
Privilege escalation vulnerability in 74CMS
SQL injection vulnerability in 74CMS
Arbitrary file deletion vulnerability in 74CMS v4.1.15
Arbitrary file read vulnerability in the latest version of 74CMS
DedeCMS Variable overwrite vulnerability in DedeCMS
Arbitrary file upload vulnerability in DedeCMS
Reinstallation vulnerability in DedeCMS
Injection vulnerability in DedeCMS
File upload vulnerability in DedeCMS
Password resetting vulnerability in DedeCMS
Vulnerability of arbitrary user logon from the frontend caused by cookie leaks in DedeCMS
SQL injection vulnerability caused by session variable overwrite in DedeCMS
Vulnerability of arbitrary file upload at the backend in DedeCMS
SQL injection vulnerability in DedeCMS
Template SQL injection vulnerability in DedeCMS
SQL injection vulnerability caused by cookie leaks in DedeCMS
Payment plug-in injection vulnerability in DedeCMS
Arbitrary file deletion by registered users in DedeCMS V5.7
CSRF protection bypass vulnerability in DedeCMS V5.7
Arbitrary file upload by common users in DedeCMS select_soft_post.php
Arbitrary file upload vulnerability in DedeCMS V5.7 SP2 (CVE-2019-8362)
Discuz Code execution vulnerability in Discuz!
MemCache + ssrf permission acquisition vulnerability (GetShell) in Discuz!
Backend SQL injection vulnerability in Discuz!
Arbitrary attachment download caused by privilege escalation vulnerabilities in Discuz!
Arbitrary file deletion vulnerability in Discuz!
Encrypted message forgery vulnerability caused by authcode function defects in Discuz!
Command execution vulnerability in the backend database backup feature of Discuz!
ECShop Code injection vulnerability in ECShop
Password retrieval vulnerability in ECShop
Injection vulnerability in ECShop
ECShop backdoor
Arbitrary user logon vulnerability in ECShop
Backend SQL injection vulnerability in ECShop
SQL injection vulnerability in ECShop
Vulnerability of overwriting variables in the ECShop installation directory at the backend
Code execution caused by SQL injection vulnerabilities in ECShop
Secondary injection vulnerability in ECShop
Backend permission acquisition vulnerability in ECShop (GetShell)
Backend file download vulnerability in ECShop 2.7.3
FCKEditor Arbitrary file upload vulnerability in FCKeditor
Joomla Remote code execution (RCE) vulnerability caused by malformed deserialized packet injection in Joomla!
Unauthorized user creation vulnerability in Joomla! (CVE-2016-8870)
Core SQL injection vulnerability in Joomla! 3.7.0
SQL injection vulnerability in Joomla!
PHPCMS Injection vulnerability in PHPCMS
AuthKey leak vulnerability in PHPCMS
Wide byte injection vulnerability in PHPCMS v9
Arbitrary file read vulnerability caused by frontend code injection in PHPCMS
Permission acquisition vulnerability caused by some logic issues in PHPCMS (GetShell)
AuthKey leak caused by AuthKey generation algorithm issues in PHPCMS
SQL injection vulnerability in PHPCMS v9.6.2
common.inc RCE vulnerability in PHPCMS 2008
RCE vulnerability in template cache of PHPCMS 2008
phpMyAdmin Deserialized injection vulnerability in phpMyAdmin
CVE-2016-6617 SQL injection vulnerability in phpMyAdmin
Permission acquisition vulnerability caused by checkPageValidity function defects in phpMyAdmin version 4.8.1 and earlier (GetShell)
phpMyAdmin 4.8.5
phpwind GET request CSRF vulnerability in PHPWind v9 task center
Permission acquisition vulnerability caused by MD5 padding vulnerabilities in PHPWind v9 (GetShell)
Backend SQL injection vulnerability in PHPWind
Cross-site scripting (XSS) injection into UBB tag attributes in PHPWind
ThinkPHP5 Medium-risk permission acquisition vulnerability caused by cache function design flaws in ThinkPHP 5.0.10-3.2.3 (GetShell)
High-risk RCE vulnerability in ThinkPHP 5.0
RCE vulnerability in ThinkPHP 5.1.X to 5.1.30 (included)
High-risk Request.php RCE vulnerability in versions earlier than ThinkPHP 5.0.24
WordPress Arbitrary file upload vulnerability in WordPress
IP address verification vulnerability in WordPress
WP_Image_Editor_Imagick instruction injection vulnerability in WordPress
XSS vulnerability in the bbPress plug-in of WordPress
Mailpress RCE vulnerability in WordPress
DOS vulnerability caused by arbitrary directory traversal in the backend plug-in update module of WordPress
SQL injection vulnerability caused by arbitrary user logon to the backend plug-in of WordPress
Username enumeration vulnerability in versions earlier than WordPress 4.7.1 (CVE-2017-5487)
SQL injection vulnerability in WordPress
XSS vulnerability in WordPress
Content injection vulnerability in WordPress
RCE vulnerabilities caused by the sitename field in WordPress Mail
SQL injection vulnerability in the Catalogue plug-in of WordPress
Arbitrary file deletion vulnerability in WordPress
Permission acquisition vulnerability caused by multiple defects, such as Author permission path traversal in WordPress (GetShell)

Application vulnerabilities that can be detected

Vulnerability type Check item
Weak passwords in system services OpenSSH services
MySQL database services
Microsoft SQL Server (MSSQL) database services
MongoDB database services
FTP, VSFTP, and ProFTPD services
Memcache cache services
Redis caching services
Subversion control services
Server Message Block (SMB) file sharing services
Simple Mail Transfer Protocol (SMTP) email delivery services
Post Office Protocol 3 (POP3) email reception services
Internet Message Access Protocol (IMAP) email management services
Vulnerabilities in system services OpenSSL heartbleed vulnerabilities
SMB
  • Samba
  • Brute-force attacks against weak passwords
RSYNC
  • Anonymous access to sensitive data
  • Brute-force attacks against password-based authentication
Brute-force attacks against Virtual Network Console (VNC) passwords
Brute-force attacks against pcAnywhere passwords
Brute-force attacks against Redis passwords
Vulnerabilities in application services phpMyAdmin weak passwords
Tomcat console weak passwords
Apache Struts 2 remote command execution vulnerabilities
Apache Struts 2 remote command execution vulnerability (S2-046)
Apache Struts 2 remote command execution vulnerability (S2-057)
Arbitrary file uploads in ActiveMQ (CVE-2016-3088)
Arbitrary file reads in Confluence
CouchDB Query Server remote command execution
Brute-force attacks against administrator weak passwords in Discuz!
Unauthorized access to Docker
Remote code execution in Drupal Drupalgeddon 2 (CVE-2018-7600)
ECshop code execution vulnerabilities in logon endpoints
Unauthorized access to Elasticsearch
Elasticsearch MvelRCE CVE-2014-31
Elasticsearch Groovy RCE CVE-2015-1427
Expression Language (EL) Injection in Weaver OA
Unauthorized access to Hadoop YARN ResourceManager
Path traversal in JavaServer Faces 2
Java deserialization in JBoss EJBInvokerServlet
Anonymous access to Jenkins Manage (CVE-2018-1999001 and CVE-2018-1999002)
Unauthorized access to Jenkins
Jenkins Script Security Plugin RCE
Unauthorized access to Kubernetes
SQL injection vulnerabilities in the MetInfo getPassword interface
SQL injection vulnerabilities in the MetInfo logon interface
Arbitrary file uploads in PHPCMS 9.6
PHP-CGI remote code execution vulnerabilities
Actuator unauth RCE
ThinkPHP_RCE_20190111
Server-side request forgery (SSRF) in WebLogic UDDI Explorer
SSRF in WordPress xmlrpc.php
Brute-force attacks against the Zabbix web console
OpenSSL heartbleed detection
Unauthorized access to the WEB-INF directory in Apache Tomcat

Server IP addresses of the web scanner

When you use Security Center to scan for application vulnerabilities in your servers, Security Center simulates intrusions that are launched from the Internet to scan your servers. If your servers are protected by a security protection or monitoring system, such as Web Application Firewall (WAF) or Secure Operations Center (SOC), we recommend that you add the server IP addresses of the web scanner to the whitelist in your protection or monitoring system. This ensures that your scan tasks run as expected. You must add the following IP addresses to the whitelist in your protection or monitoring system:

47.110.180.32, 47.110.180.33, 47.110.180.34, 47.110.180.35, 47.110.180.36, 47.110.180.37, 47.110.180.38, 47.110.180.39, 47.110.180.40, 47.110.180.41, 47.110.180.42, 47.110.180.43, 47.110.180.44, 47.110.180.45, 47.110.180.46, 47.110.180.47, 47.110.180.48, 47.110.180.49, 47.110.180.50, 47.110.180.51, 47.110.180.52, 47.110.180.53, 47.110.180.54, 47.110.180.55, 47.110.180.56, 47.110.180.57, 47.110.180.58, 47.110.180.59, 47.110.180.60, 47.110.180.61, 47.110.180.62, and 47.110.180.63

Procedure

  1. Log on to the Security Center console.In the left-side navigation pane, choose Risk Management > Vulnerabilities.
  2. On the Vulnerabilities page, run a manual scan task or configure an automatic periodic scan task.
    • Run a manual scan task on your servers

      If you want to check whether vulnerabilities exist on your servers, you can use the quick scan feature to run a manual scan task on your servers.

      1. On the Vulnerabilities page, click Scan now.

        Before you use the quick scan feature, you can click Settings in the upper-right corner of the page. In the Settings panel, click Manage to the right of each check item and check whether the servers that you want to scan are displayed in the Assets section.

      2. In the Scan for Vulnerabilities dialog box, select the type of vulnerabilities that you want to scan for and click OK.
        Note
        • After you use the quick scan feature, Security Center scans all protected assets. The time required to complete the scan is approximately 30 minutes. Wait until the scan is complete. You can refresh the page to view the most recent statistics.
        • After a scan task is created, you must wait for at least 15 minutes before you can stop the scan task.
    • Run an automatic periodic scan task on your servers

      You can configure an scan cycle for an automatic periodic scan task. Then, Security Center runs the automatic periodic scan tasks to scan for vulnerabilities on your servers on a regular basis.

      1. In the upper-right corner of the Vulnerabilities page, click Settings.
      2. In the Settings panel, configure the parameters based on your business requirements.
        Parameter Description
        Linux Software Turn on or turn off the switches to enable or disable the scan for Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, and urgent vulnerabilities. After you turn on a switch, you can click Manage to right to add or remove servers that you want to scan for the corresponding vulnerabilities.
        Windows System
        Web CMS
        Emergency
        Application Turn on or turn off the switch to enable or disable the scan for application vulnerabilities.
        YUM/APT Source Configuration Turn on or turn off the switch to specify whether to preferentially use YUM or APT sources of Alibaba Cloud to fix vulnerabilities.
        Note Before you fix a Linux software vulnerability, you must specify a valid YUM or APT source. If you specify an invalid YUM or APT source, the vulnerability may fail to be fixed. After you turn on the switch, Security Center automatically selects a YUM or APT Source Configuration of Alibaba Cloud. This improves the success rate of vulnerability fixing. We recommend that you turn on YUM/APT Source Configuration.
        Emergency vul(s) Scan Cycle Specify the scan cycle for urgent vulnerabilities.
        Note
        • Only users of the Advanced, Enterprise, and Ultimate editions of Security Center can specify the Emergency vul(s) Scan Cycle parameter. By default, the scan period for urgent vulnerabilities is 00:00:00 to 07:00:00.
        • If your servers are deployed in a private network or urgent vulnerability detection is not required, you can set Emergency vul(s) Scan Cycle to Stop.
        • Your servers may be attacked in various ways. We recommend that you set Emergency vul(s) Scan Cycle to a value other than Stop. This way, Security Center detects urgent vulnerabilities on your servers in a timely manner.
        Application Vul(s) Scan Cycle Specify the scan cycle for application vulnerabilities.
        Note Only users of the Enterprise and Ultimate editions of Security Center can specify the Application Vul(s) Scan Cycle parameter. By default, the scan period for application vulnerabilities is 00:00:00 to 07:00:00.
        Retain Invalid Vul for Specify the number of days after which a detected vulnerability is automatically deleted.
        Note If you do not handle a detected vulnerability and the vulnerability is no longer detected in multiple subsequent detection, the vulnerability is automatically removed from the Vulnerabilities page after the specified number of days. If vulnerabilities of the same type are detected, Security Center still generates alerts.
        Vul scan level Specify priorities for the vulnerabilities that Security Center detects.
        Note Security Center detects and displays only vulnerabilities that have the priorities specified by the Vul scan level parameter. If you select High and Medium, Security Center detects only vulnerabilities that have High and Medium priorities. On the Vulnerabilities page, only vulnerabilities that have High and Medium priorities are displayed.
        Vulnerability Whitelist Settings If you do not want to scan for a vulnerability, you can add the vulnerability to the vulnerability whitelist. Security Center does not detect the vulnerabilities in the vulnerability whitelist.
        • Add whitelist rules: Click Add rules. In the AddVulnerability rule panel, configure an whitelist rule based on a specified type of vulnerabilities.
        • Edit whitelist rules: Click Edit on the right of the vulnerability that is added to a whitelist rule. In the panel that appears, modify the Rule scope and Note parameters.
        • Remove vulnerabilities from the whitelist: Click Delete on the right of a vulnerability to remove the vulnerability from the whitelist. After you remove the vulnerability from the whitelist, Security Center can detect the vulnerability and generate alerts for the vulnerability.
    After the vulnerability settings are configured, Security Center detects vulnerabilities on your servers based on the configurations. You can click Task management in the upper-right corner of the Vulnerabilities page and view the scan progress of vulnerabilities. After the scan is complete, you can click a tab on the Vulnerabilities page to view the most recent scan results.