Security Center provides the vulnerability management feature. You can use the feature to detect and fix common types of vulnerabilities in your assets at the earliest opportunity. This topic describes the priorities to fix vulnerabilities, the procedure for fixing vulnerabilities, and the descriptions of the vulnerability fixing feature.
Priorities to fix vulnerabilities
The priorities to fix vulnerabilities vary based on the following factors:
- Technology.
- Exploitability. This factor can refer to a proof of concept (PoC), an exploit, a weaponized worm, or a weaponized virus.
- Threat. This factor indicates whether the vulnerability can be exploited to obtain server permissions.
- Number of affected IP addresses after the vulnerability is exploited. This factor indicates the likelihood of the vulnerability being exploited by attackers.
Security Center provides a formula to calculate the score of urgency to fix a vulnerability. You can use the score to determine the priority to fix a vulnerability. For more information about the formula, see Formula for the score of urgency to fix a vulnerability.
The following table describes the mappings between the score of urgency to fix a vulnerability and each priority.
Priority | Description | Score of urgency to fix a priority | Solution |
---|---|---|---|
High | This priority is assigned to a vulnerability that can be easily exploited by an unauthenticated remote attacker. The vulnerability can be exploited to compromise systems over arbitrary code execution without user interactions. In most cases, this type of vulnerability is exploited by worms or ransomware. | Greater than 13.5 | We recommend that you fix this type of vulnerability at the earliest opportunity. |
Medium | This priority is assigned to a vulnerability that may adversely affect the confidentiality, integrity, or availability of resources. In most cases, this type of vulnerability cannot be exploited. However, this type of vulnerability is given a high score by the CVSS when they are disclosed on the Internet or at an official website. We recommend that you attach importance to this type of vulnerability. | 7.1 to 13.5 | We recommend that you fix this type of vulnerability based on your business requirements. |
Low | This priority is assigned to a vulnerability that has the lowest possibility of being exploited or does not pose risks after it is exploited. In most cases, this type of vulnerability is a bug in the source code of a program or a vulnerability that affects compliance and service performance. | Less than 7 | We recommend that you ignore this type of vulnerability. |
Suggestions for fixing vulnerabilities
- If multiple vulnerabilities are detected in your assets, you may be unable to identify
the vulnerability that must be fixed at the earliest opportunity. To address this
issue, go to the Vulnerabilities page and turn on Show only real risk vulnerabilities to obtain the vulnerabilities with the high priority.
The real risk vulnerability model of Security Center evaluates vulnerabilities based on the following factors: Alibaba Cloud vulnerability scoring system, time score, environment score, asset importance score, PoC, exploitability, and severity. This way, the real risk vulnerabilities are automatically identified. You can turn on the switch to help your enterprise fix the exploitable vulnerabilities at the earliest opportunity and improve the fixing efficacy.
- If several types of vulnerabilities are detected, we recommend that you preferentially fix urgent vulnerabilities and Web-CMS vulnerabilities because these types of vulnerabilities are confirmed by Alibaba Cloud security engineers as high-risk vulnerabilities. After you fix these vulnerabilities, you can continue to fix application vulnerabilities, Windows system vulnerabilities, and Linux software vulnerabilities.
- You can determine whether to preferentially fix a vulnerability based on your business requirements, server usage, and the impact of vulnerability fixing.
Procedure for fixing vulnerabilities
To prevent errors and ensure that the operating system of your server runs as expected during the vulnerability fixing, we recommend that you perform the following operations to fix vulnerabilities:
Descriptions of the vulnerability fixing feature
Urgent and application vulnerabilities
- Security Center cannot fix vulnerabilities in all operating systems. If you directly use patches to fix vulnerabilities in some operating systems, risks can occur. To prevent risks, we recommend that you create snapshots in the ECS console and build a test environment to test your fixing solution. If urgent or application vulnerabilities are detected on an ECS instance, you can go to the ECS console to create snapshots for data backup. We recommend that you export the list of ECS instances on which vulnerabilities are detected and create snapshots by using the automatic snapshot feature. For more information, see Overview.
- If vulnerabilities cannot be fixed because the fixes affect your business or the required security patches are not released, we recommend that you perform attack prevention based on the officially provided solutions for temporary mitigation.
- If vulnerabilities do not affect your business and have security patches released, we recommend that you upgrade your software to a secure version before you fix vulnerabilities.
Linux software vulnerabilities and Windows system vulnerabilities
Security Center automatically detects Linux software vulnerabilities and Windows system vulnerabilities and allows you to fix these vulnerabilities with a few clicks. We recommend that you log on to the Security Center console and go to the details page of a specified vulnerability to handle the vulnerability. For more information about vulnerability fixing, see View and handle vulnerabilities.
If multiple Linux software vulnerabilities are detected in your assets, you can fix the batch fixing feature to fix the vulnerabilities at a time. The feature is supported only for Linux software vulnerabilities. When you fix multiple vulnerabilities at a time, Security Center automatically identifies affected assets and fixes the vulnerabilities in these assets. You can perform the following operations to fix multiple Linux software vulnerabilities at a time:
If multiple vulnerabilities fail to be fixed at a time, check whether the network connection of your server is normal and whether the disk space is sufficient. For more information, see Linux software vulnerabilities and Windows system vulnerabilities fail to be fixed. Why?
Web-CMS vulnerabilities
Security Center detects Web-CMS vulnerabilities and allows you to fix the vulnerabilities with a few clicks. The Web-CMS vulnerability detection feature can monitor website directories and identify vulnerabilities in common website builders. You can fix Web-CMS vulnerabilities in the same manner that you fix Linux software vulnerabilities. For more information, see View and handle vulnerabilities.