Patching a production server carries real risk: a failed patch can take down services just as effectively as the vulnerability it was meant to fix. Before you begin, plan your approach around business continuity so the fix doesn't become the incident.
The guidance in this topic applies to vulnerabilities detected across operating systems, network devices, databases, and middleware.
Decide what to fix
Not every vulnerability needs an immediate fix. You can determine the priority to fix vulnerabilities based on your business requirements, server resource usage, and the potential impact of the fix itself.
Before fixing
Develop a fixing plan
Investigate the operating system and application stack of the target server, then write a step-by-step fixing plan. Include what to patch, in what order, and how to verify success. Verify the plan in a test environment before applying it to production.
Test in a staging environment
Test patches before deploying to production. A patch that breaks a critical application or fails to install can cause more disruption than the vulnerability it was meant to fix.
Set up a staging environment that mirrors production:
The operating system and database system must match the production environment.
The application system must match the production environment.
Use the most recent full backup of the production system as test data.
After testing, generate a test report that covers:
| Report item | Description |
|---|---|
| Vulnerability fixing results | Which vulnerabilities were fixed and which were not |
| Fixing duration | How long each fix took |
| Patch compatibility | Whether the patch is compatible with the current environment |
| Impacts observed during testing | Any service disruptions, errors, or unexpected behavior |
Back up the system
Back up the entire business system — operating system, applications, and data — and verify that the backup can restore the system. If an error or data loss occurs, use the backup and rollback feature to restore to the pre-fix state.
When fixing vulnerabilities in the Security Center console, select Create snapshots automatically and fix. Security Center then creates a snapshot automatically. If an exception occurs, roll back to that snapshot to restore your system.
Security Center automatically creates a system snapshot only for Linux software vulnerabilities and Windows system vulnerabilities.
Check asset information
Confirm the server's asset information, including the software version information of the vulnerabilities that Security Center detected.
Schedule during off-peak hours
Fix vulnerabilities during off-peak hours to reduce the impact on business operations.
During fixing
Keep at least two administrators involved throughout the process: one performs the fix, the other monitors and records each step. This separation reduces the risk of misoperations.
Follow the system vulnerability list and fix vulnerabilities one by one.
After fixing
Verify that all targeted vulnerabilities are resolved and that no new exceptions have appeared on the server.
Generate a vulnerability fix report based on the fixing process and archive the relevant documents.