Security Center provides the vulnerability management feature. You can use the feature to detect and fix common types of vulnerabilities in your assets at the earliest opportunity. This topic describes the priorities to fix vulnerabilities, the procedure for fixing vulnerabilities, and the descriptions of the vulnerability fixing feature.

Priorities to fix vulnerabilities

The priorities to fix vulnerabilities vary based on the following factors:

  • Technology.
  • Exploitability. This factor can refer to a proof of concept (PoC), an exploit, a weaponized worm, or a weaponized virus.
  • Threat. This factor indicates whether the vulnerability can be exploited to obtain server permissions.
  • Number of affected IP addresses after the vulnerability is exploited. This factor indicates the likelihood of the vulnerability being exploited by attackers.

Security Center provides a formula to calculate the score of urgency to fix a vulnerability. You can use the score to determine the priority to fix a vulnerability. For more information about the formula, see Formula for the score of urgency to fix a vulnerability.

The following table describes the mappings between the score of urgency to fix a vulnerability and each priority.

Priority Description Score of urgency to fix a priority Solution
High This priority is assigned to a vulnerability that can be easily exploited by an unauthenticated remote attacker. The vulnerability can be exploited to compromise systems over arbitrary code execution without user interactions. In most cases, this type of vulnerability is exploited by worms or ransomware. Greater than 13.5 We recommend that you fix this type of vulnerability at the earliest opportunity.
Medium This priority is assigned to a vulnerability that may adversely affect the confidentiality, integrity, or availability of resources. In most cases, this type of vulnerability cannot be exploited. However, this type of vulnerability is given a high score by the CVSS when they are disclosed on the Internet or at an official website. We recommend that you attach importance to this type of vulnerability. 7.1 to 13.5 We recommend that you fix this type of vulnerability based on your business requirements.
Low This priority is assigned to a vulnerability that has the lowest possibility of being exploited or does not pose risks after it is exploited. In most cases, this type of vulnerability is a bug in the source code of a program or a vulnerability that affects compliance and service performance. Less than 7 We recommend that you ignore this type of vulnerability.

Suggestions for fixing vulnerabilities

  1. If multiple vulnerabilities are detected in your assets, you may be unable to identify the vulnerability that must be fixed at the earliest opportunity. To address this issue, go to the Vulnerabilities page and turn on Show only real risk vulnerabilities to obtain the vulnerabilities with the high priority.

    The real risk vulnerability model of Security Center evaluates vulnerabilities based on the following factors: Alibaba Cloud vulnerability scoring system, time score, environment score, asset importance score, PoC, exploitability, and severity. This way, the real risk vulnerabilities are automatically identified. You can turn on the switch to help your enterprise fix the exploitable vulnerabilities at the earliest opportunity and improve the fixing efficacy.

  2. If several types of vulnerabilities are detected, we recommend that you preferentially fix urgent vulnerabilities and Web-CMS vulnerabilities because these types of vulnerabilities are confirmed by Alibaba Cloud security engineers as high-risk vulnerabilities. After you fix these vulnerabilities, you can continue to fix application vulnerabilities, Windows system vulnerabilities, and Linux software vulnerabilities.
  3. You can determine whether to preferentially fix a vulnerability based on your business requirements, server usage, and the impact of vulnerability fixing.

Procedure for fixing vulnerabilities

To prevent errors and ensure that the operating system of your server runs as expected during the vulnerability fixing, we recommend that you perform the following operations to fix vulnerabilities:

  1. Scan for vulnerabilities.
    1. Log on to the Security Center console.In the left-side navigation pane, choose Risk Management > Vulnerabilities.
    2. In the upper-right corner of the Vulnerabilities page, click Settings.
    3. In the Settings panel, check the configurations to ensure that all types of vulnerabilities can be detected on all servers. For more information, see Scan for vulnerabilities.
    4. Go to the Vulnerabilities page and click Scan now.
      Check the vulnerability status of all servers that belong to the current account to ensure that the information about detected vulnerabilities is up-to-date.
  2. Perform tests before you fix vulnerabilities.
    Before you fix vulnerabilities, install patches for the vulnerabilities that you want to fix in the test environment, test compatibility and security, and then generate test reports on the vulnerability fixes after the tests are complete. A test report must include the vulnerability fixing results, fixing duration, patch compatibility, and impacts caused by the vulnerability fixing.
  3. Back up data on the servers for which you want to fix vulnerabilities.
    Before you fix a vulnerability, use a backup and restoration feature to back up the data on the server. For example, you can use the snapshot feature of Elastic Compute Service (ECS) to create a snapshot of an ECS instance. When you fix Windows system vulnerabilities and Linux software vulnerabilities, you can select the Create snapshots automatically and fix option to back up data. When you fix urgent and application vulnerabilities, you must go to the ECS console to create snapshots. We recommend that you export the list of ECS instances on which vulnerabilities are detected and then use the automatic snapshot feature to back up data. For more information, see Overview.
  4. Fix vulnerabilities.
    Upload vulnerability patches to the servers and use the patches to fix vulnerabilities. This task requires at least two administrators. One administrator is responsible for fixing the vulnerabilities and the other is responsible for recording the fixing process. Exercise caution when you fix vulnerabilities.
  5. Verify vulnerability fixes.
    Check whether vulnerabilities on the servers are fixed. Make sure that the vulnerabilities are fixed and no exceptions occurred on the servers.

Descriptions of the vulnerability fixing feature

Urgent and application vulnerabilities

Security Center detects urgent and application vulnerabilities and provides suggestions on how to fix these vulnerabilities. However, Security Center does not allow you to fix urgent and application vulnerabilities with a few clicks. If you want to fix these types of vulnerabilities, you must log on to the server on which the vulnerabilities are detected and manually fix the vulnerabilities based on the fixing suggestions that are provided on the details pages of the vulnerabilities.
Important
  • Security Center cannot fix vulnerabilities in all operating systems. If you directly use patches to fix vulnerabilities in some operating systems, risks can occur. To prevent risks, we recommend that you create snapshots in the ECS console and build a test environment to test your fixing solution. If urgent or application vulnerabilities are detected on an ECS instance, you can go to the ECS console to create snapshots for data backup. We recommend that you export the list of ECS instances on which vulnerabilities are detected and create snapshots by using the automatic snapshot feature. For more information, see Overview.
  • If vulnerabilities cannot be fixed because the fixes affect your business or the required security patches are not released, we recommend that you perform attack prevention based on the officially provided solutions for temporary mitigation.
  • If vulnerabilities do not affect your business and have security patches released, we recommend that you upgrade your software to a secure version before you fix vulnerabilities.

Linux software vulnerabilities and Windows system vulnerabilities

Security Center automatically detects Linux software vulnerabilities and Windows system vulnerabilities and allows you to fix these vulnerabilities with a few clicks. We recommend that you log on to the Security Center console and go to the details page of a specified vulnerability to handle the vulnerability. For more information about vulnerability fixing, see View and handle vulnerabilities.

If multiple Linux software vulnerabilities are detected in your assets, you can fix the batch fixing feature to fix the vulnerabilities at a time. The feature is supported only for Linux software vulnerabilities. When you fix multiple vulnerabilities at a time, Security Center automatically identifies affected assets and fixes the vulnerabilities in these assets. You can perform the following operations to fix multiple Linux software vulnerabilities at a time:

  1. Log on to the Security Center console.In the left-side navigation pane, choose Risk Management > Vulnerabilities.
  2. On the Linux Software tab of the Vulnerabilities page, select the vulnerabilities that you want to fix and click Batch Repair.
    Note To prevent impacts on performance, we recommend that you fix no more than 100 vulnerabilities at a time. If you want to fix more than 100 vulnerabilities, you can create snapshots in batches and then fix the vulnerabilities.
  3. In the Batch Repair dialog box, view the affected assets, select Create snapshots automatically and fix or Skip snapshot backup and fix directly, and then click Fix Now.

If multiple vulnerabilities fail to be fixed at a time, check whether the network connection of your server is normal and whether the disk space is sufficient. For more information, see Linux software vulnerabilities and Windows system vulnerabilities fail to be fixed. Why?

Web-CMS vulnerabilities

Security Center detects Web-CMS vulnerabilities and allows you to fix the vulnerabilities with a few clicks. The Web-CMS vulnerability detection feature can monitor website directories and identify vulnerabilities in common website builders. You can fix Web-CMS vulnerabilities in the same manner that you fix Linux software vulnerabilities. For more information, see View and handle vulnerabilities.