Security Center can detect Linux software vulnerabilities and allows you to fix the vulnerabilities with a few clicks. This topic describes how to view and handle Linux software vulnerabilities.

Limits

The Basic and Anti-virus editions of Security Center detect but do not fix vulnerabilities. To use Security Center to fix vulnerabilities with a few clicks, you must purchase the Advanced, Enterprise, or Ultimate edition. For more information about the features supported by different Security Center editions, see Features.

View the basic information about a vulnerability

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Linux Software tab.
  4. On the Linux Software tab, view the Linux software vulnerabilities that are detected by Security Center. In most cases, the name of a Linux software vulnerability starts with USN, RHSA, or CVE.
    • View vulnerabilitiesView vulnerabilities
    • View the priorities of vulnerabilities and the number of affected assets
      The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of the column indicates the total number of the assets affected by a vulnerability. The following list describes the relationship between colors and priorities:
      • Red: High
      • Orange: Medium
      • Gray: Low
      View vulnerability priorities
      Note We recommend that you fix the vulnerabilities that have the High priority at the earliest opportunity.
    • Add vulnerabilities to the whitelist

      On the Linux Software tab, select one or more vulnerabilities that you want to add to the whitelist and click Add to Whitelist below the vulnerability list. After you add the vulnerabilities to the whitelist, Security Center no longer generates alerts for the vulnerabilities.

      Add vulnerabilities to the whitelist

      Vulnerabilities that are added to the whitelist are removed from the vulnerability list on the Linux Software tab. You can click Settings in the upper-right corner of the page to view the vulnerabilities in the Vul Whitelist section.

      If you want Security Center to detect and generate alerts for a vulnerability that is added to the whitelist, select the vulnerability in the Vul Whitelist section in the Settings panel and click Remove.

      Vul Whitelist
    • Fix multiple vulnerabilities at a time
      If you fix multiple vulnerabilities at a time, Security Center automatically identifies affected assets and fixes the vulnerabilities on these assets. On the Linux Software tab, you can select the vulnerabilities that you want to fix at a time and click Batch Repair. In the Batch Repair dialog box, view the affected assets, select Create snapshots automatically and fix or Skip snapshot backup and fix directly, and then click Fix Now. Batch Repair
      Notice
      • You can select the vulnerabilities only on the current page. A total of 10, 20, or 50 vulnerabilities can be displayed on each page. Therefore, you can fix up to 50 vulnerabilities at a time.
      • For outdated or commercial operating systems, you must manually upgrade the operating systems to fix vulnerabilities. Security Center cannot fix multiple vulnerabilities that are detected on the operating systems at a time. After you use the Batch Repair feature to fix the vulnerabilities, Security Center ignores the vulnerabilities. If you use one of the following operating systems, you must upgrade your operating system to fix multiple vulnerabilities at a time:
        • Red Hat 5, Red Hat 6, Red Hat 7, and Red Hat 8
        • CentOS 5
        • Ubuntu 12
      • The system may fail to fix a vulnerability. Before you click Fix Now, we recommend that you select Create snapshots automatically and fix to create a snapshot of the system. For more information about Elastic Compute Service (ECS) snapshots, see Snapshot overview.
      • You are charged based on the billing methods of the snapshot service.For example, if the size of the system disk is 40 GB, the fees for snapshot storage are USD 0.005 per day. For more information, see Snapshots.
    • Search for vulnerabilities
      On the Linux Software tab, you can search for vulnerabilities by using or combining the following methods:
      • Search for vulnerabilities by priority. The priority can be High, Medium, or low.
      • Search for vulnerabilities by status. The status can be Handled or Unhandled.
      • Search for vulnerabilities by Asset group, VPC, or Tags.
      • Enter the name or Common Vulnerabilities and Exposures (CVE) ID of a vulnerability in the search box.
        Note If you search for vulnerabilities by name, fuzzy match is supported.
      Search for vulnerabilities
    • Export vulnerabilities
      In the upper-right corner of the Linux Software tab, you can click the The Export icon icon to export and save all detected vulnerabilities to your computer. The exported file is in the Excel format.
      Note The time that is required to export the vulnerabilities varies based on the size of vulnerability data.

View and handle vulnerabilities

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Vulnerabilities.
  3. On the Vulnerabilities page, click the Linux Software tab.
  4. On the Linux Software tab, find the vulnerability that you want to view. Click the vulnerability name in the Vulnerability column or Fix in the Actions column. The panel that shows the vulnerability details appears.
  5. In the panel, view and handle the vulnerability. Vulnerability details
    You can perform the following operations:
    • View vulnerability details
      • On the Detail tab, view all vulnerabilities that are associated with the vulnerability and all assets that are affected by the vulnerability. You can also analyze all vulnerabilities and handle multiple vulnerabilities at a time.
      • On the Pending vulnerability tab, view the assets that are affected by the vulnerability.

        You can view all assets that are affected by the vulnerability and the status of the vulnerability that affects specific assets. You can fix a vulnerability, ignore a vulnerability, or add a vulnerability to a whitelist. You can also verify or undo a vulnerability fix.

      On the Detail tab, click an asset in the Affected Assets column to go to the Vulnerabilities tab of the Assets page. On this tab, you can view the information about all Linux software vulnerabilities that are associated with this asset. Assets
    • View the details about the Alibaba Cloud vulnerability library
      On the Detail tab, click the ID of a vulnerability that you want to fix in the CVE ID column to go to the Alibaba Cloud vulnerability library. CVE ID

      This library displays detailed information about the vulnerability, including the vulnerability description, basic information, and solution.

    • View vulnerability priorities
      Vulnerability priorities are marked in different colors:
      • Red: High
      • Orange: Medium
      • Gray: Low
      Note We recommend that you fix the vulnerabilities that have the High priority at the earliest opportunity.
    • View the processes related to vulnerability fixes

      On the Pending vulnerability tab, click the Related process icon icon in the Related process column to view the processes that are related to the vulnerability. In the panel that appears, you can view the processes or business systems that may be affected by the vulnerability fix.

    • View the vulnerability status

      The status of a vulnerability can be Handled or Unhandled.

      • Handled
        • Handled: The vulnerability is fixed.
        • Ignored: The vulnerability is ignored. Security Center no longer generates alerts on this vulnerability.
        Note You can use snapshots to undo a vulnerability fix for a Handled vulnerability. After you undo a vulnerability fix, the status of the vulnerability changes to Unhandled.
      • Unhandled
        • Unfixed: The vulnerability is to be fixed.
        • Fixing: The vulnerability is being fixed.
        • Fix Failed: Security Center failed to fix the vulnerability. The file that contains the vulnerability data may have been modified or does not exist.
        • Handled (To Be Restarted): The vulnerability is fixed. You must restart the system for the fix to take effect.
        • Verifying: The vulnerability has been fixed. If a system restart is required, you can verify the fix after you restart the system.
    • Handle the vulnerabilities of the affected assets

      On the Pending vulnerability tab, you can fix or ignore a vulnerability. You can also verify or undo a vulnerability fix.

      Note If you want to handle the vulnerability on all affected assets, select all affected assets and perform the required operations. To select all affected assets with a few clicks, you can select the check box next to Vulnerability.

      You can perform the following operations based on your business requirements:

      • Fix vulnerabilities
        Fix vulnerabilities based on the following scenarios:
        • The Fix button is available

          Select one or more associated vulnerabilities and click Fix. Security Center can automatically create snapshots and fix vulnerabilities. You can select Create snapshots automatically and fix or Skip snapshot backup and fix directly based on your business requirements.

          Note
          • The system may fail to fix a vulnerability. Before you click Fix Now, we recommend that you select Create snapshots automatically and fix to create a snapshot of the system. For more information about Elastic Compute Service (ECS) snapshots, see Snapshot overview.
          • You are charged based on the billing methods of the snapshot service.For example, if the size of the system disk is 40 GB, the fees for snapshot storage are USD 0.005 per day. For more information, see Snapshots.
        • The Fix button is dimmed
          The button is dimmed in the following scenarios:
          • For outdated or commercial operating systems, you must manually upgrade the operating systems to fix vulnerabilities.
            Note If you use one of the following operating systems, you must upgrade your operating system to fix vulnerabilities:
            • Red Hat 5, Red Hat 6, Red Hat 7, and Red Hat 8
            • CentOS 5
            • Ubuntu 12
          • Linux software vulnerabilities may fail to be fixed due to issues, such as insufficient disk space on your server or unauthorized access to files. Before you fix Linux software vulnerabilities in the Security Center console, you must manually handle the issues on the server. The following list describes these issues and solutions:
            • The disk space is smaller than 3 GB.
            • The apt-get or APT/YUM process is running.

              Solution: Wait until the process is complete, or manually stop the process. Then, fix the vulnerability again in the Security Center console.

            • Insufficient permissions to run the APT, YUM, or RPM command.
              Solution: Check and manage access permissions on the files. We recommend that you set file permissions to 755, and make sure that the file owner is the root user. Then, fix the vulnerability again in the Security Center console.
              Note After you set file permissions to 755, the file owner has the read, write, and execute permissions on the file. Other users and the user group to which the file owner belongs have read and execute permissions on the file.

          To view server issues, move the pointer over the Fix button. The suggestions are provided by Security Center.

      • Restart the system
        After you fix Linux kernel vulnerabilities, you must restart the system. You can use one of the following methods to restart the system:
        • (Recommended) Click Restart on the Detail tab. Restart the system
          Note If the system has vulnerabilities that are in the fixing or verifying state, you cannot restart the system. In this case, if you click Restart, an error message appears. The error message indicates that the system restart fails. Before you restart a system, make sure that no vulnerabilities are in the fixing or verifying state.
        • Run the required command in the Linux system.
      • Verify a vulnerability fix

        Select a vulnerability or multiple associated vulnerabilities and click Verify to check whether the vulnerabilities are fixed.

        After you click Verify, the Status of the vulnerability changes to Verifying. The fix can be verified after several seconds.

      • Ignore a vulnerability

        Find the vulnerability that you want to ignore, click the Ignore a vulnerability or undo a vulnerability fix icon in the Actions column, and then select Ignore. In the dialog box that appears, enter the description for the ignore operation and click OK. After a vulnerability is ignored, Security Center no longer generates alerts for the vulnerability.

        Search for Handled vulnerabilities, find the vulnerability that is ignored, and then click the vulnerability to go to the panel that shows the vulnerability details. In the panel, move the pointer over the Ignore icon icon in the Status column to view the description of the ignore operation.

        Note The state of this vulnerability changes to Ignored. If you want Security Center to generate alerts on an ignored vulnerability, find the vulnerability in the Handled vulnerability list and click Unignore in the panel.
      • Undo a vulnerability fix

        Find the vulnerability for which you want to undo the fix, click Rollback in the Actions column. In the Rollback dialog box, select the snapshot that you want to use to undo the fix and click OK.

    • Search for affected assets
      On the Pending vulnerability tab, you can search for affected assets by vulnerability priority, VPC name, asset group, vulnerability status, server IP address, or server name. The vulnerability priority can be high, medium, or low. The vulnerability status can be handled or unhandled.
      Note If you search for affected assets by server IP address or name, fuzzy match is supported.
    • Export affected assets
      In the upper-left corner of the Pending vulnerability tab, click the The Export icon icon to export and save all affected assets to your computer. The exported file is in the Excel format.
      Note The time that is required to export the vulnerabilities varies based on the size of asset data.

Description of the panel that shows the vulnerability details

Parameter Description
CVE ID The CVE ID of the vulnerability. The CVE system provides a reference method for publicly known information-security vulnerabilities and exposures. You can use CVE IDs, such as CVE-2018-1123, to query relevant information about vulnerability fixes in databases that are compatible with CVE. This way, security issues can be resolved.
Impact The value of the Impact parameter is a Common Vulnerability Scoring System (CVSS) score. The CVSS score follows the widely accepted industry standard and is calculated by using the formula that depends on several attributes of the vulnerability. This score is used to determine the severity of the vulnerability.
The following list describes the severity rating scale in CVSS v3.0:
  • 0: none
  • 0.1 to 3.9: low
    • Vulnerabilities that cause local DDoS attacks
    • Vulnerabilities that have minor impacts
  • 4.0 to 6.9: medium
    • Vulnerabilities that affect users only when the system and user interacts
    • Vulnerabilities that attackers can exploit to perform unauthorized operations
    • Vulnerabilities that can be exploited after attackers change local configurations or obtain the required information
  • 7.0 to 8.9: high
    • Vulnerabilities that attackers can exploit to indirectly obtain permissions on your server and application systems
    • Vulnerabilities that attackers can exploit to read, write, download, or delete files
    • Vulnerabilities that cause sensitive data leaks
    • Vulnerabilities that cause service interruptions or remote DDoS attacks
  • 9.0 to 10.0: critical
    • Vulnerabilities that attackers can exploit to directly obtain permissions on your server
    • Vulnerabilities that attackers can exploit to directly obtain sensitive data and cause data leaks
    • Vulnerabilities that cause unauthorized access to sensitive data
    • Vulnerabilities that cause large-scale impacts
Affected Assets The details about assets that are affected by the vulnerability, including the public and private IP addresses of the assets.
Priority The vulnerability priority. The following items describe the priorities:
  • High

    We recommend that you fix high-priority vulnerabilities at the earliest opportunity.

  • Medium

    You can fix medium-priority vulnerabilities based on your business requirements.

  • Low

    You can fix or ignore low-priority vulnerabilities based on your business requirements.

Details In the panel, find a vulnerability and click Details in the Actions column to view the details about the vulnerability.
  • Fix Command: the command that you can run to fix the vulnerability.
  • Impact description:
    • Software: the version of the software on the current server.
    • Cause: the reason why the software has the vulnerability. In most cases, the vulnerability is detected due to the outdated version of the software.
    • Path: the path of the software on the server.
  • Caution: important notes, prevention tips, and references for the vulnerability.

References

How often does Security Center detect vulnerabilities?

What are the differences between baselines and vulnerabilities?

What do I do if I cannot enable the vulnerability detection feature for a server on the Assets page?