This topic provides an overview of the vulnerability fixing feature of Security Center. You can use Security Center to detect and fix common vulnerabilities with a few clicks. You can enable Security Center to automatically scan servers for vulnerabilities on a regular basis. You can also manually perform quick scan tasks to scan servers for vulnerabilities. You can view the overall security status of your assets. If vulnerabilities are detected, you can use the vulnerability fixing feature to fix the vulnerabilities.

Background information

When you fix a Linux software vulnerability in the Security Center console with a few clicks, the YUM utility of Linux automatically downloads, installs, and deletes the patch that is required to fix the vulnerability. The YUM utility of Linux deletes the patch three days after the vulnerability is fixed. No manual operations are required.

When you fix a Windows system vulnerability in the Security Center console with a few clicks, the Security Center agent automatically downloads, installs, and deletes the patch that is required to fix the vulnerability. No manual operations are required. If the Security Center agent does not delete the patch three days after the vulnerability is fixed, you can manually delete the patch package. For more information, see How do I delete the patch that is required to fix a Windows system vulnerability from the directory of the Security Center agent?

Limits

The following symbols are used in the table:
  • √: indicates that the feature is supported.
  • ×: indicates that the feature is not supported.
Vulnerability type Feature Basic edition Anti-virus edition Advanced edition Enterprise edition Ultimate edition
Linux software vulnerability Vulnerability detection
Vulnerability fixing × ×
Windows system vulnerability Vulnerability detection
Vulnerability fixing × ×
Web-CMS vulnerability Vulnerability detection
Vulnerability fixing × ×
Urgent vulnerability Vulnerability detection
Vulnerability fixing × × × × ×
Application vulnerability Vulnerability detection × × ×
Vulnerability fixing × × × × ×
Note Security Center can detect urgent vulnerabilities and application vulnerabilities, but cannot fix these types of vulnerabilities. If you want to fix these types of vulnerabilities, you must log on to the server on which the vulnerabilities are detected and manually fix the vulnerabilities based on the fix suggestions that are provided on the details pages of the vulnerabilities.

Supported operating systems of vulnerability detection and vulnerability fixing

Operating system Version
CentOS CentOS 5, CentOS 6, CentOS 7, and CentOS 8. For CentOS 5, CentOS 6, and CentOS 8, Security Center can detect and fix only the vulnerabilities that are disclosed before their respective end of life (EOL) date.
Redhat Redhat 5, Redhat 6, Redhat 7, and Redhat 8. For Redhat 5 and Redhat 6, Security Center can detect and fix only the vulnerabilities that are disclosed before their respective EOL date.
Ubuntu Ubuntu 12, Ubuntu 14, Ubuntu 16, Ubuntu 18, Ubuntu 20, and Ubuntu 21. For Ubuntu 12, Ubuntu 14, and Ubuntu 16, Security Center can detect and fix only the vulnerabilities that are disclosed before their respective EOL date.
Windows Server Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019. For Windows Server 2008, Security Center can detect and fix only the vulnerabilities that are disclosed before the EOL date.
Alibaba Cloud Linux Alibaba Cloud Linux 2.1903 and Alibaba Cloud Linux 3.
Anolis OS Anolis OS 7.9 and Anolis OS 8.

Easily exploitable vulnerabilities

The Show only real risk vulnerabilities switch is added to the upper-right corner of the vulnerability list on the Vulnerabilities page. After you turn on the switch, Security Center displays only the vulnerabilities whose urgency score is high in the vulnerability list. After you turn off the switch, Security Center displays all vulnerabilities in the vulnerability list. Show only real risk vulnerabilities

After you turn on the switch, Security Center automatically analyzes vulnerabilities on your system, and detects and displays easily exploitable vulnerabilities. In addition, the Vulnerabilities page displays only vulnerabilities whose urgency score is greater than or equal to 13.5. If you want to view only vulnerabilities whose urgency score is high, we recommend that you turn on the switch.

Note The urgency score of a vulnerability helps you determine whether to immediately fix the vulnerability. If the urgency score of a vulnerability is greater than or equal to 13.5, the vulnerability is critical and must be immediately fixed. For more information, see Priorities to fix vulnerabilities.

Vulnerability statistics

You can log on to the Security Center console and view vulnerability statistics in the upper part of the Vulnerabilities page. Vulnerability statistics

Recommended Fix (CVE)

Click the number below Recommended Fix (CVE) to go to the Recommended Fix (CVE) panel. In the panel, you can view all types of vulnerabilities with the high priority. For more information about how to fix vulnerabilities, see View and handle Linux software vulnerabilities, View and handle Windows system vulnerabilities, View and handle Web-CMS vulnerabilities, View and handle application vulnerabilities, and View and handle urgent vulnerabilities. Recommended Fix (CVE)

Vul Servers

Click the number below Vul Servers to go to the Server(s) tab of the Assets page. On the Server(s) tab, you can view the details about the servers on which vulnerabilities are detected.Vul Servers

Fixing

Click the number below Fixing to go to the Fixing panel. In the panel, you can view the list of vulnerabilities that are being fixed and the fix progress. Fixing

Fixed Today

Click the number below Fixed Today to go to the Fixed Today panel. In the Fixed Today panel, you can view information about the assets affected by the vulnerabilities that are fixed on the current day.

You can perform the following operations in the panel:
  • View related processes: Click the Related process icon icon in the Related process column to view the processes or service systems that may be affected when Security Center fixes the vulnerability.
  • View the details about the Alibaba Cloud vulnerability library: Click a CVE ID in the Vul (cve) column to view details about the vulnerability in the Alibaba Cloud vulnerability library.
    If multiple vulnerabilities are detected on an asset, the number of vulnerabilities is displayed in the Vul (cve) column. If you want to view the details about a vulnerability, move the pointer over the displayed CVE ID and click the CVE ID. Vul (cve) column
  • View the details about a vulnerability fix: Click Details in the Actions column to view the descriptions and risks of the vulnerability fix.
  • Undo a vulnerability fix: If you have created a snapshot for an asset, you can undo the fixes of vulnerabilities on the asset. To undo a fix, click Undo Fix in the Actions column, select the snapshot that you have created, and then click OK.
    Note The snapshot of an asset allows you to undo the fixes of the Linux software vulnerabilities and Windows system vulnerabilities that are detected on the asset.

Total Fixed

Click the number below Total Fixed to go to the Total Fixed panel. In the Total Fixed panel, you can view information about the assets affected by vulnerabilities that are fixed.

Disclosed Vulnerabilities

Click the number below Disclosed Vulnerabilities to go to the Detectable Vulnerabilities panel. In the Detectable Vulnerabilities panel, you can view the list of and details about the vulnerabilities that can be detected by Security Center. The details include CVE IDs, vulnerability names, vulnerability detection methods, and vulnerability disclosure time. In the panel, you can also enter a CVE ID or vulnerability name above the vulnerability list to search for a specific vulnerability. This way, you can check whether the vulnerability can be detected by Security Center. You can click the CVE ID of a vulnerability to view details about the vulnerability in the Alibaba Cloud vulnerability library. Detectable Vulnerabilities

Latest System Vul Time

View the time when a vulnerability scan task was last performed below Latest System Vul Time.
Note If you want to manually scan newly purchased Elastic Compute Service (ECS) instances at an unscheduled time, click Scan now to start the scan task. For more information, see Use the quick scan feature.

References

How often does Security Center detect vulnerabilities?

What are the differences between baselines and vulnerabilities?

What do I do if I cannot enable the vulnerability detection feature for a server on the Assets page?