The application vulnerability detection feature can detect common application vulnerabilities. This topic describes how to view and handle application vulnerabilities.
Limits
Only the Enterprise and Ultimate editions of Security Center support this feature. If you do not use these editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Feature.
Limits
- Security Center can detect application vulnerabilities, but it cannot fix the detected application vulnerabilities. You must manually fix the vulnerabilities on your servers by following Suggestions on the Detail tab.
- Security Center provides two modes to scan application vulnerabilities: Web Scanner and Software Component Analysis. The two modes have the following limits:
- Web Scanner: scans only the servers that can access the Internet and have the Security Center agent installed. The servers can be Elastic Compute Service (ECS) instances or the servers that are not deployed on Alibaba Cloud.
- Software Component Analysis: scans the servers that have the Security Center agent installed. The servers can be ECS instances or the servers that are not deployed on Alibaba Cloud.
View the basic information about a vulnerability
- On the Application tab, view all the application vulnerabilities that are detected by Security Center.
You can perform the following operations on the tab:
- Search for vulnerabilities
On the Application tab, you can search for vulnerabilities by severity level, vulnerability status, scan mode, asset group, virtual private cloud (VPC) name, or vulnerability name. The severity level can be high, medium, or low. The vulnerability status can be handled or unhandled. The scan mode can be web scanner or software component analysis. You can also search for vulnerabilities by server IP address or server name.
- View vulnerabilities
- View vulnerability scan modesSecurity Center scans for application vulnerabilities based on the following methods:
- Web Scanner: inspects network traffic to detect vulnerabilities in your system. For example, you can use this method to scan for SSH weak passwords and remote command execution.
- Software Component Analysis: identifies software versions to detect vulnerabilities in your system. For example, you can use this method to scan for vulnerabilities of Apache Shiro authorization and Kubernetes kubelet resource management.
- View the priorities of vulnerabilities and the number of affected assetsThe priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of this column indicates the total number of the assets affected by a vulnerability. The following list describes the relationship between colors and priorities:
- Red: High
- Orange: Medium
- Gray: Low
Note We recommend that you fix vulnerabilities with the High priority at the earliest opportunity. - Add vulnerabilities to the whitelist
On the Application tab, you can select one or more vulnerabilities and click Add to Whitelist to add them to the whitelist. Security Center no longer generates alerts on the vulnerabilities that are added to the whitelist.
Vulnerabilities that are added to the whitelist are not displayed in the vulnerability list on the Application tab. If you want to view these vulnerabilities, you can click Settings in the upper-right corner of the Vulnerabilities page and find the vulnerabilities in the Vul Whitelist section.
If you want Security Center to detect and generate alerts on a vulnerability that is added to the whitelist, select the vulnerability in the Vul Whitelist section in the Settings panel and click Remove.
- Export vulnerabilities
On the Application tab, you can click the
icon to export and save all detected vulnerabilities to your computer. The vulnerabilities
are exported to an Excel file.
Note The time to export the vulnerabilities varies based on the size of vulnerability data.
- Search for vulnerabilities
View vulnerability details and handle vulnerabilities
- In the panel, view and handle the vulnerability. You can perform the following operations:
- View vulnerability detailsThe panel displays all the affected assets and vulnerabilities associated with the vulnerability. You can analyze and handle multiple vulnerabilities at a time. You can view the following information:
- On the Detail tab, you can view the associated vulnerabilities, descriptions, impacts, and characteristics.
- On the Pending vulnerability tab, you can view the assets that are affected by this vulnerability.
You can view the assets affected by the vulnerability and the status of the vulnerability. You can also verify a vulnerability fix, add a vulnerability to the whitelist, ignore a vulnerability, or restore an ignored vulnerability.
Click an asset in the Affected Assets column to go to the Vulnerabilities tab of the Assets page. Then, click the Application tab to view the information about all application vulnerabilities associated with this asset.
- View the details about the Alibaba Cloud vulnerability library
On the Detail tab, find the vulnerability that you want to view and click CVE ID to go to the Alibaba Cloud vulnerability library. On the page that appears, view details about the vulnerability, including the vulnerability description, basic information, and solution.
- View vulnerability status
The status of a vulnerability can be Handled or Unhandled.
- Handled
- Handled: The vulnerability is fixed.
- Ignored: The vulnerability is ignored. Security Center no longer generates alerts on this vulnerability.
- Unhandled
- Unfixed: The vulnerability is to be fixed.
- Verifying: After you start the verification, the state of the vulnerability changes to Verifying.
Note By default, all the unhandled vulnerabilities are displayed in the application vulnerability list.
- Handled
- Verify vulnerability fixes
After you manually fix a vulnerability based on the Suggestions that are displayed on the Detail tab, click Verify to check whether the vulnerability is fixed. Find the vulnerability for which you want to verify the fix and click Verify in the Actions column.
After you click Verify, the
%;state of the vulnerability changes to Verifying. It takes several seconds to verify the vulnerability fix.The following list shows the two possible results:- Verification succeeded: The state of the vulnerability changes to Fixed. You can view the vulnerability in the Handled vulnerability list.
- Verification failed: The state of the vulnerability changes to Unfixed. This indicates that the vulnerability has not been fixed. We recommend that you troubleshoot the issue and handle the vulnerability at the earliest opportunity.
- Ignore vulnerabilities
If you do not want Security Center to generate alerts on some vulnerabilities, you can ignore these vulnerabilities. Select the vulnerability that you want to ignore and click Ignore in the Actions column. Security Center no longer generates alerts on this vulnerability.
Note The state of this vulnerability changes to Ignored. If you want Security Center to generate alerts on an ignored vulnerability, find the vulnerability in the Handled vulnerability list and click Unignore in the panel.
- View vulnerability details
Application vulnerabilities that can be detected
| Vulnerability type | Check item |
|---|---|
| Weak passwords in system services | OpenSSH services |
| MySQL database services | |
| Microsoft SQL Server (MSSQL) database services | |
| MongoDB database services | |
| FTP, VSFTP, and ProFTPD services | |
| Memcache cache services | |
| Redis caching services | |
| Subversion control services | |
| Server Message Block (SMB) file sharing services | |
| Simple Mail Transfer Protocol (SMTP) email delivery services | |
| Post Office Protocol 3 (POP3) email reception services | |
| Internet Message Access Protocol (IMAP) email management services | |
| Vulnerabilities in system services | OpenSSL heartbleed vulnerabilities |
SMB
|
|
RSYNC
|
|
| Brute-force attacks against VNC passwords | |
| Brute-force attacks against pcAnywhere passwords | |
| Brute-force attacks against Redis passwords | |
| Vulnerabilities in application services | phpMyAdmin weak passwords |
| Tomcat console weak passwords | |
| Apache Struts 2 remote command execution vulnerabilities | |
| Apache Struts 2 remote command execution vulnerability (S2-046) | |
| Apache Struts 2 remote command execution vulnerability (S2-057) | |
| Arbitrary file uploads in ActiveMQ (CVE-2016-3088) | |
| Arbitrary file reads in Confluence | |
| CouchDB Query Server remote command execution | |
| Discuz!Brute-force attacks against administrator weak passwords | |
| Unauthorized access to Docker | |
| Remote code execution in Drupal Drupalgeddon 2 (CVE-2018-7600) | |
| ECshop code execution vulnerabilities in logon endpoints | |
| Unauthorized access to Elasticsearch | |
| Elasticsearch MvelRCE CVE-2014-31 | |
| Elasticsearch Groovy RCE CVE-2015-1427 | |
| Expression Language (EL) Injection in Weaver OA | |
| Unauthorized access to Hadoop YARN ResourceManager | |
| Path traversal in JavaServer Faces 2 | |
| Java deserialization in JBoss EJBInvokerServlet | |
| Anonymous access to Jenkins Manage (CVE-2018-1999001 and CVE-2018-1999002) | |
| Unauthorized access to Jenkins | |
| Jenkins Script Security Plugin RCE | |
| Unauthorized access to Kubernetes | |
| SQL injection vulnerabilities in the MetInfo getPassword interface | |
| SQL injection vulnerabilities in the MetInfo logon interface | |
| Arbitrary file uploads in PHPCMS 9.6 | |
| PHP-CGI remote code execution vulnerabilities | |
| Actuator unauth RCE | |
| ThinkPHP_RCE_20190111 | |
| Server-side request forgery (SSRF) in WebLogic UDDI Explorer | |
| SSRF in WordPress xmlrpc.php | |
| Brute-force attacks against the Zabbix web console | |
| OpenSSL heartbleed detection | |
| Unauthorized access to the WEB-INF directory in Apache Tomcat |
References
What are the differences between baselines and vulnerabilities?