Security Center:Vulnerability management overview

Continuous and automated vulnerability management for critical business servers

• Scenario: Critical business servers require daily vulnerability scans and timely fixes to keep services secure and stable.

• Applicable editions: Advanced, Enterprise, or Ultimate.

• Features: Supports one automatic periodic vulnerability scan per day and unlimited vulnerability fixes. It also supports manual vulnerability scans to address sudden security incidents.

Basic protection for non-core servers or development environments

• Scenario: You need basic vulnerability detection and fixing for a small number of servers (fewer than 10) or for development and testing environments, while keeping costs low.

• Applicable editions: Anti-virus, with an option to Purchase vulnerability fixes on demand.

• Features: Supports one automatic periodic vulnerability scan every two days, meeting basic needs. When you need to fix vulnerabilities, you can use the pay-as-you-go model or purchase a fix package for flexible vulnerability management.

Rapidly respond to and investigate newly disclosed critical vulnerabilities

• Scenario: When a major security vulnerability (such as Log4j2) is disclosed, you need to immediately determine if any of your server assets are affected.

• Applicable editions: Enterprise or Ultimate.

• Features: Use the manual vulnerability scan to immediately run a comprehensive scan on all or a subset of your servers. The scan results provide detailed vulnerability information and official remediation advice for manual fixes.

Vulnerability scan

Vulnerability Scan supports two methods: manual vulnerability scan and periodic automatic vulnerability scan.

Vulnerability fixing

Security Center provides a One-click Fix capability that automatically deploys a patch to help you resolve security issues quickly.

• Vulnerability fix calculation rules

  • Minimum unit: Successfully fixing one Security Notice on one server counts as one fix.

    Important

    A single Security Notice may contain multiple related CVEs. Fixing the notice counts as only 1 fix, regardless of how many CVEs it includes.

  • Number of vulnerability fixes = Σ (Number of Security Notices with the "Fixed" status on each server)

    Important

    A fix is counted only after the server restarts and its status changes to "Fixed". Failed fixes are not counted.

  • Example:

    If you use Security Center to successfully fix 10 different Security Notices on each of 5 servers:

    Total vulnerability fixes = 5 servers × 10 Security Notices = 50 fixes

• Vulnerability fix priority

  When vulnerabilities exist, the Alibaba Cloud vulnerability scoring system (based on CVSS and combined with real-world cloud attack scenarios) helps you prioritize fixes. This system considers a vulnerability's severity, exploit maturity, threat risk, and the scope of affected assets.

  • Vulnerability Remediation Urgency Score = Alibaba Cloud Vulnerability Score × Time Factor × Environment Factor × Asset Importance Factor.

    • Alibaba Cloud Vulnerability Score: Evaluates the inherent severity of the vulnerability.

    • Time Factor: Considers dynamic factors like the vulnerability's disclosure date and the prevalence of exploit methods (value from 0 to 1).

    • Environment Factor: Assesses the vulnerability's exploitability in the server environment, such as whether it is connected to the public internet (value is dynamically adjusted).

    • Asset Importance Factor: Adjusts the priority based on the asset's importance setting (Important: 1.5, General: 1, Test: 0.5).

  • Fix priority and suggestions:

    Priority	Remediation Urgency Score	Description	Remediation Suggestion
    High	13.5 or higher	Easily exploitable by an unauthenticated remote attacker, leading to system compromise (e.g., arbitrary code execution) without user interaction. Often used by worms and ransomware.	Fix as soon as possible
    Medium	7.1 to 13.5	Potentially compromises the confidentiality, integrity, or availability of resources. Typically includes vulnerabilities with high official ratings but are not yet demonstrably exploitable.	Can be fixed later
    Low	Below 7.1	Extremely low probability of successful exploitation or no real risk if exploited. Common in source code bugs or vulnerabilities with minor impacts on compliance or business performance.	Can be postponed
    Special	-	Urgent Vulnerability and Web-CMS Vulnerability: High-risk vulnerabilities confirmed by Alibaba Cloud security engineers. We recommend you fix them as soon as possible. When the environment factor cannot be obtained due to network issues, the suggestion may display as "Can be postponed."	Fix as soon as possible

Rule update schedule

To cover new Security Notices from OS vendors, Security Center regularly updates its vulnerability detection rules.

• Linux Systems:

  • High-risk vulnerabilities: Detection rules are added within 48 hours of the OS vendor's announcement.

  • CVE vulnerabilities: Detection rules are added within 14 days of the OS vendor's announcement.

• Windows Systems: CVE vulnerability detection rules are added within 48 hours of Microsoft's announcement.

Data retention policy

To ensure efficient system performance, Security Center automatically cleans up stale vulnerability data.

• Active vulnerabilities:
  If a vulnerability's status (e.g., Fixed, Fixing Failed, Ignored, Unfixed, Fixing, Verifying) does not change for one year, the system automatically deletes the vulnerability record.

• Invalid vulnerabilities:
  The system automatically deletes a vulnerability record if its status remains Invalid for longer than the retention period defined in Retain Invalid Vulnerabilities For under Vulnerability Settings.

Supported operating systems for vulnerability scanning and fixing

End-of-life OS vulnerability support

For operating systems that have reached End of Life (EOL), Security Center no longer supports scanning, detection, or fixing of Linux Software Vulnerabilities and Windows System Vulnerabilities disclosed after the EOL date.