All Products
Search

This Product

    Security Center:View and handle vulnerabilities

    Document Center

    Security Center:View and handle vulnerabilities

    Last Updated:Dec 07, 2023

    After a vulnerability scan is complete, you can view and handle the vulnerabilities on your assets on the Vulnerabilities page. This topic describes how to view the results of a vulnerability scan and fix the vulnerabilities on your assets.

    Prerequisites

    A vulnerability scan is complete. For more information, see Scan for vulnerabilities.

    View vulnerability scan results

    View all vulnerabilities

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

    2. In the left-side navigation pane, choose Risk Management > Vulnerabilities.

    3. On the Vulnerabilities page, view the results of the vulnerability scan.

      • View the overview of the vulnerability scan results.

        In the upper part of the Vulnerabilities page, you can view the overall information about vulnerabilities.

        Parameter

        Description

        Recommended Fix (CVE)

        Click the number below Recommended Fix (CVE) to go to the Recommended Fix (CVE) panel. In the panel, you can view security bulletins for all types of vulnerabilities with the high priority. For more information about how to fix vulnerabilities, see Handle vulnerabilities.

        Vul Servers

        Click the number below Vul Servers to go to the Server tab of the Host page. On the Server tab, you can view the details about the servers on which vulnerabilities are detected.

        Fixing

        Click the number below Fixing to go to the Fixing panel. In the panel, you can view the list of vulnerabilities that are being fixed and the fixing progress.

        Handled Vulnerabilities Today

        Click the number below Handled Vulnerabilities Today to go to the Handled Vulnerabilities Today panel. In the panel, you can view the list of affected assets for the vulnerabilities that are fixed on the current day and the related information.

        You can perform the following operations in the panel:

        • View related processes: Click the 关联进程图标 icon in the Related process column to view the processes or service systems that may be affected when Security Center fixes the vulnerabilities.

        • View the details about the Alibaba Cloud vulnerability library: Click a Common Vulnerabilities and Exposures (CVE) ID in the CVE ID column to view details about the vulnerability in the Alibaba Cloud vulnerability library.

          If multiple vulnerabilities are detected on an asset, the number of vulnerabilities is displayed in the CVE ID column. If you want to view the details about a vulnerability, move the pointer over a CVE ID that is displayed and click the CVE ID.

        • View the details about an asset-level vulnerability fix: Find an affected asset and click Details in the Actions column to view the impact and risk descriptions of the vulnerability fix for the asset.

        • Undo an asset-level vulnerability fix: If you have created a snapshot for an asset, you can undo the fixes of vulnerabilities that are detected on the asset. To undo an asset-level vulnerability fix, find the asset and click Rollback in the Actions column. In the dialog box that appears, select the snapshot that you want to use and click OK.

          Note

          You can use a snapshot of an asset to undo the fixes of only Linux software vulnerabilities and Windows system vulnerabilities that are detected on the asset.

        Total Handled Vulnerabilities

        Click the number below Total Handled Vulnerabilities to go to the Total Handled Vulnerabilities panel. In the panel, you can view the list of affected assets for all vulnerabilities that are fixed and the related information.

        Disclosed Vulnerabilities

        Click the number below Disclosed Vulnerabilities to go to the Detectable Vulnerabilities panel. In the panel, you can view the list of and details about the vulnerabilities that can be detected by Security Center. The details include CVE IDs, vulnerability names, vulnerability detection methods, vulnerability disclosure time, and vulnerability types. In the panel, you can also enter a CVE ID or a vulnerability name above the vulnerability list to search for a vulnerability. This way, you can check whether the vulnerability can be detected by Security Center. You can click the CVE ID of a vulnerability to view details about the vulnerability in the Alibaba Cloud vulnerability library.

      • View the statistical information about vulnerability scan results.

        The following table describes the statistical information about vulnerability scan results.漏洞统计数据说明

        No.

        Description

        1

        The total number of security bulletins for high-risk vulnerabilities that are detected on your assets. If multiple security bulletins are matched for a single server, multiple security bulletins are counted.

        2

        The number of security bulletins for Linux software vulnerabilities that are detected on your assets. The number next to each vulnerability type indicates the number of security bulletins for vulnerabilities of this type that are detected on your assets.

        3

        The number of assets on which the vulnerabilities involved in a security bulletin are detected. The following list describes numbers in different colors:

        • Red: the number of servers on which vulnerabilities of the High priority are detected.

        • Orange: the number of servers on which vulnerabilities of the Medium priority are detected.

        • Gray: the number of servers on which vulnerabilities of the Low priority are detected.

        For more information, see Priorities to fix vulnerabilities.

      • View security bulletins.

        Click the tab of a vulnerability type to view the security bulletins for vulnerabilities of the type that are detected by Security Center on your assets.

        Note

        If the new icon is displayed to the right of a security bulletin, the priority of the vulnerabilities involved in the security bulletin has been changed in the last 15 days, or the vulnerabilities are recently disclosed.

      • View the priorities of vulnerabilities and the number of affected assets.

        The priorities of vulnerabilities are displayed in different colors in the Affected Assets column. The number in each row of the column indicates the total number of the assets that are affected by the vulnerabilities involved in a security bulletin. The following list describes the relationship between colors and priorities:

        • Red: High

        • Orange: Medium

        • Gray: Low

        Note

        We recommend that you fix the vulnerabilities that have the High priority at the earliest opportunity.

      • Search for a security bulletin.

        Use the filters and search box above the list of security bulletins to search for a security bulletin. The search conditions include vulnerability priorities, vulnerability handling states, security bulletin names, and CVE IDs.

      • View security bulletin details.

        Click a security bulletin to go to the details panel. In the panel, you can view the details about the involved vulnerabilities and unhandled vulnerabilities. All assets for which a security bulletin is matched are displayed in the list of unhandled vulnerabilities. If a security bulletin is matched for multiple processes on a server, the processes are separately displayed in the unhandled vulnerability list.

        For more information about the parameters in the details panel of a security bulletin for Linux software vulnerabilities, see Description of the panel that shows the details about a security bulletin for Linux software vulnerabilities.

        In the details panel, you can click the Pending vulnerability tab to view the fixing status of a vulnerability in the Status column.

        Handled or not

        Status

        Description

        Handled

        Fixed

        The vulnerability is fixed.

        Fixing Failed

        Security Center failed to fix the vulnerability. The file that contains the vulnerability may have been modified or does not exist.

        Ignored

        The vulnerability is ignored. Security Center no longer generates alerts for this vulnerability.

        Invalid

        The vulnerability has not been detected in the specified time period. The following list describes the time periods after which vulnerabilities are considered invalid for different types of vulnerabilities:

        • Linux software vulnerabilities and Windows system vulnerabilities: 3 days

        • Web-CMS vulnerabilities: 7 days

        • Application vulnerabilities: 30 days

        • Urgent vulnerabilities: 90 days

        Unhandled

        Unfixed

        The vulnerability is not fixed.

        Verifying

        After you manually fix a vulnerability, you can click Verify in the Actions column to check whether the vulnerability is fixed. After you click Verify, the status of the vulnerability changes to Verifying from Unfixed.

      • Export the list of security bulletins.

        Click the 导出 icon in the upper-right corner above the vulnerability list to export the list of security bulletins.

    View exploitable vulnerabilities

    The exploitable vulnerability model of Security Center evaluates vulnerabilities based on the following factors: Alibaba Cloud vulnerability scoring system, time score, environment score, asset importance score, proof of concept (PoC), exploitability, and vulnerability severity. This way, the exploitable vulnerabilities are automatically identified. You can turn on Show only real risk vulnerabilities to help you fix the exploitable vulnerabilities at the earliest opportunity and improve the fixing efficacy. If you turn off Show only real risk vulnerabilities, all vulnerabilities are displayed. You can perform the following operations to turn on Show only real risk vulnerabilities:

    Note

    In the Outside China region, the switch is not supported for Linux software vulnerabilities. After you turn on Show only real risk vulnerabilities, vulnerabilities other than Linux software vulnerabilities are displayed.

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

    2. In the left-side navigation pane, choose Risk Management > Vulnerabilities.

    3. On the Vulnerabilities page, turn on Show only real risk vulnerabilities.

      After you turn on the switch, exploitable vulnerabilities are displayed in the Security Center console.

    Handle vulnerabilities

    Purchase the vulnerability fixing feature

    • If you use the Advanced, Enterprise, or Ultimate edition, you do not need to purchase the feature. You are provided an unlimited quota to fix the vulnerabilities that are detected on the protected servers within your account.

    • If you use the Basic, Value-added Plan, or Anti-virus edition, you must purchase the vulnerability fixing feature based on the pay-as-you-go or subscription billing method.

    Important

    • If you purchase a quota for the vulnerability fixing feature based on the pay-as-you-go billing method, you can use the vulnerability fixing feature to fix only Linux software vulnerabilities and Windows system vulnerabilities.

    • If you want to disable the pay-as-you-go billing method, you can click Suspended in the System Vulnerability Fixing section of the Vulnerabilities page.

    Procedure

    Security Center can fix different types of vulnerabilities. For more information about the vulnerability fixing feature in different editions of Security Center, see Types of vulnerabilities that can be detected and fixed.

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

    2. In the left-side navigation pane, choose Risk Management > Vulnerabilities.

    3. On the Vulnerabilities page, handle vulnerabilities.

      Fix Linux software vulnerabilities, Windows system vulnerabilities, and Web-CMS vulnerabilities

      Security Center allows you to fix and ignore vulnerabilities. In this example, a Linux software vulnerability is used. The following list describes how to fix and ignore a Linux software vulnerability:

      • Fix

        If you confirm that the vulnerability needs to be fixed, you can use the quick fixing feature in the Security Center console or log on to the required server to fix the vulnerability.

        • Quick fixing (recommended)

          Security Center allows you to use the quick fixing feature to fix one or more Linux software vulnerabilities, Windows system vulnerabilities, and Web-CMS vulnerabilities at a time on a server.

          1. In the security bulletin list of the Linux Software Vulnerability tab, find and click the required security bulletin.

          2. In the vulnerability list of the Pending vulnerability tab in the panel that appears, find the required server and click Fix in the Actions column. In the Fix dialog box, select an option to determine whether to create a snapshot of the server and click Fix Now.

            You can select multiple servers and click Fix below the vulnerability list to fix the vulnerabilities on the selected servers at a time.

            Warning

            Security Center may fail to fix a vulnerability. If a vulnerability fails to be fixed, service interruptions occur. Before you fix a vulnerability, we recommend that you create a snapshot of the system. This allows you to restore service data by using the snapshot in an efficient manner.

        • Manual fixing

          1. In the security bulletin list of the Linux Software Vulnerability tab, find the required security bulletin and click the CVE ID of the vulnerability that you want to fix in the CVE ID column to go to the Alibaba Cloud vulnerability library.

          2. In the SOLUTION section, view the solution to the vulnerability. Then, log on to the required server to fix the vulnerability based on the solution.

          3. After the vulnerability is fixed, return to the Security Center console. On the Vulnerabilities page, find and click the security bulletin for the fixed vulnerability to go to the details panel. In the vulnerability list of the Pending vulnerability tab, find the server on which you fixed the vulnerability and click Verify in the Actions column to check whether the vulnerability is successfully fixed.

        If the vulnerability is successfully fixed, the status of the vulnerability changes to Fixed.

      • Ignore

        If you confirm that the vulnerability does not need to be fixed, you can add the vulnerability to the whitelist to ignore the vulnerability. After the vulnerability is added to the whitelist, Security Center no longer generates alerts for the vulnerability on the specified servers in the subsequent detection. In this example, a Linux software vulnerability is used. You can perform the following operations to ignore a Linux software vulnerability:

        • In the security bulletin list of the Linux Software Vulnerability tab, find and click the required security bulletin.

        • In the vulnerability list of the Pending vulnerability tab in the panel that appears, select one or more servers for which you want to ignore the detected vulnerabilities and click Ignore below the vulnerability list. In the dialog box that appears, enter a description and click OK.

      Fix application vulnerabilities and urgent vulnerabilities

      Application vulnerabilities and urgent vulnerabilities do not support quick fixing. If you want to fix these types of vulnerabilities, you must log on to the server on which the vulnerabilities are detected and manually fix the vulnerabilities based on the fix suggestions that are provided on the details pages of the vulnerabilities. In this example, an application vulnerability is used. The following list describes how to fix and ignore an application vulnerability:

      • Fix

        If you confirm that the vulnerability needs to be fixed, you can log on to the required server to manually fix the vulnerability.

        1. In the security bulletin list of the Application Vulnerability tab, find and click the required security bulletin to view the details about the vulnerability and fix suggestions.

        2. In the vulnerability list of the Pending vulnerability tab in the panel that appears, find the required server and click Details in the Actions column. You can view the details about the vulnerabilities that are detected on the server.

        1. After the vulnerability is fixed, return to the Security Center console. On the Vulnerabilities page, find and click the security bulletin for the fixed vulnerability to go to the details panel. In the vulnerability list of the Pending vulnerability tab, find the server on which you fixed the vulnerability and click Verify in the Actions column to check whether the vulnerability is successfully fixed.

          If the vulnerability is successfully fixed, the status of the vulnerability changes to Fixed.

        2. If an application vulnerability is detected based on software component analysis, perform the following operations to view the reason why the vulnerability is successfully fixed: In the vulnerability list of the Pending vulnerability tab, find the vulnerability and click Details in the Actions column.

          The vulnerability may be successfully fixed due to the following reasons:

          • The vulnerability detection rule is unpublished.

          • The process does not exist.

          • The component does not exist.

          • The component is updated. If this reason is displayed, the current version of the component is also displayed.

        3. Optional. If you cannot fix an application vulnerability, find the vulnerability in the vulnerability list of the Pending vulnerability tab and click Enable Protection Now in the Operate column. Then, you are redirected to the Application Protection page. You can add the related application process to application protection for protection. For more information, see Application protection.

          The application protection feature can effectively defend against attacks that exploit application vulnerabilities, zero-day vulnerabilities, and in-memory webshells.

          • If the assets that are affected by an application vulnerability are added to application protection in automatic access mode, Protected is displayed in the Operate column of the assets.

          • If the assets that are affected by an application vulnerability are added to application protection in manual access mode, you must click Verify in the Operate column or scan for application vulnerabilities again. Then, Protected can be displayed in the Operate column.

      • Ignore

        If you confirm that the vulnerability does not need to be fixed, you can add the vulnerability to the whitelist to ignore the vulnerability. After the vulnerability is added to the whitelist, Security Center no longer detects the vulnerability on the specified servers in the subsequent detection. In this example, an application vulnerability is used. You can perform the following operations to ignore an application vulnerability:

        1. In the security bulletin list of the Application Vulnerability tab, find and click the required security bulletin.

        2. In the vulnerability list of the Pending vulnerability tab in the panel that appears, select one or more servers for which you want to ignore the detected vulnerabilities and click Ignore below the vulnerability list. In the dialog box that appears, enter a description and click OK.

    Description of the panel that shows the details about a security bulletin for Linux software vulnerabilities

    Parameter

    Description

    CVE ID

    The CVE ID of a vulnerability. The CVE system provides a reference method for publicly known information security vulnerabilities and exposures. You can use CVE IDs, such as CVE-2018-1123, to query relevant information about vulnerability fixes in databases that are compatible with CVE. This way, security issues can be resolved.

    Impact

    The Common Vulnerability Scoring System (CVSS) score of a vulnerability. A CVSS score follows the widely accepted industry standard and is calculated by using the formula that depends on several attributes of the vulnerability. The score is used to determine the severity of the vulnerability.

    The following list describes the severity rating scale in CVSS v3.0:

    • 0: none.

    • 0.1 to 3.9: low-severity vulnerabilities.

      • Vulnerabilities that can cause local denial-of-service (DoS) attacks

      • Vulnerabilities that have minor impacts

    • 4.0 to 6.9: medium-severity vulnerabilities.

      • Vulnerabilities that affect users only during system and user interactions.

      • Vulnerabilities that attackers can exploit to perform unauthorized operations.

      • Vulnerabilities that attackers can exploit after the attackers change the configurations of on-premises machines or obtain important information.

    • 7.0 to 8.9: high-severity vulnerabilities.

      • Vulnerabilities that attackers can exploit to indirectly obtain permissions on the operating system of your server and applications.

      • Vulnerabilities that attackers can exploit to read, write, download, or delete files.

      • Vulnerabilities that can cause sensitive data leaks.

      • Vulnerabilities that can cause service interruptions or remote DoS attacks.

    • 9.0 to 10.0: critical-severity vulnerabilities.

      • Vulnerabilities that attackers can exploit to directly obtain permissions on your server.

      • Vulnerabilities that attackers can exploit to directly obtain sensitive data and cause data leaks.

      • Vulnerabilities that can cause unauthorized access to sensitive data.

      • Vulnerabilities that can cause large-scale impacts.

    Affected Assets

    The information about assets that are affected by vulnerabilities. The information includes the public and private IP addresses of the assets.

    Severity

    The vulnerability priority. The following items describe the priorities:

    • High: We recommend that you fix high-priority vulnerabilities at the earliest opportunity.

    • Medium: You can fix medium-priority vulnerabilities based on your business requirements.

    • Low: You can fix or ignore low-priority vulnerabilities based on your business requirements.

    Details

    The details about the vulnerability. You can find a vulnerability on the Vulnerability Detail tab and click Details in the Operate column to view the information such as Fix Command and Cause.

    • Fix Command: the command that you can run to fix the involved Linux software vulnerabilities.

    • Impact description:

      • Software: the version of the software on the current server.

      • Cause: the reason why the software has the vulnerabilities. In most cases, the vulnerabilities are detected due to the outdated version of the software.

      • Path: the path of the software on the server.

    • Caution: important notes, prevention tips, and references for the vulnerabilities.

    FAQ

    1. I want to fix a vulnerability, but the Fix button is dimmed. Why?

    • The Fix button for a Linux software vulnerability is dimmed

      • For some outdated or commercial operating systems, you must manually upgrade the operating systems to fix vulnerabilities.

        Note

        If you use one of the following operating systems, you must upgrade your operating system to fix vulnerabilities:

        • Red Hat 5, Red Hat 6, Red Hat 7, and Red Hat 8

        • CentOS 5

        • Ubuntu 12

      • Linux software vulnerabilities may fail to be fixed due to issues, such as insufficient disk space on your server or unauthorized access to files. Before you fix Linux software vulnerabilities in the Security Center console, you must manually handle the issues on the server. The following list describes these issues and solutions:

        • The disk space is less than 3 GB.

          Solution: Resize or clear the disk. Then, fix the vulnerabilities again in the Security Center console.

        • The apt-get or APT/YUM process is running.

          Solution: Wait until the process is complete, or manually stop the process. Then, fix the vulnerability again in the Security Center console.

        • The system prompts insufficient permissions on running the APT, YUM, or RPM command.

          Solution: Check and manage access permissions on the files. We recommend that you set file permissions to 755, and make sure that the file owner is the root user. Then, fix the vulnerability again in the Security Center console.

          Note

          After you set file permissions to 755, the file owner has the read, write, and execute permissions on the file. Other users and the user group to which the file owner belongs have read and execute permissions on the file.

    • The Fix button for a Windows system vulnerability is dimmed

      If the disk space of a server is insufficient or the Windows Update service is running, Windows system vulnerabilities fail to be fixed and the Fix button is dimmed. Before you fix Windows system vulnerabilities in the Security Center console, you must manually handle the issues on the server. To view the server issues and solutions provided by Security Center, move the pointer over the Fix button. The following list describes these issues and solutions:

      • The Windows Update service is running.

        Solution: Wait for a few minutes and fix the vulnerabilities again. Alternatively, terminate the Wusa process on the server and fix the vulnerabilities again in the Security Center console.

      • The Windows Update service is disabled.

        Solution: Start Task Manager of the server and enable the Windows Update service. Then, fix the vulnerabilities again in the Security Center console.

      • The server disk space is less than 500 MB.

        Solution: Resize or clear the disk. Then, fix the vulnerabilities again in the Security Center console.

    2. Linux software vulnerabilities and Windows system vulnerabilities fail to be fixed. Why?

    If the system prompts that a fix failed when you fix a Linux software vulnerability or a Windows system vulnerability in the Security Center console, follow the instructions in the following table to troubleshoot the failure.

    Note

    We recommend that you identify the cause of a fix failure by following instructions in the table from top to bottom.

    Cause

    Description

    Solution

    The Security Center agent of the server on which the vulnerability is detected is disconnected from Alibaba Cloud.

    If the Security Center agent is disconnected from Alibaba Cloud, the vulnerability fix may fail. Specific issues may cause the Security Center agent to be disconnected from Alibaba Cloud. For example, the network connection between the server and Security Center is abnormal, or the CPU utilization or memory usage of the server is excessively high.

    Troubleshoot the Security Center agent disconnection. For more information, see Identify why the Security Center agent is offline.

    The disk or memory space of the server on which the vulnerability is detected is insufficient.

    If the disk does not have sufficient space, Security Center cannot download the patch package that is required to fix the vulnerability.

    To troubleshoot this failure, perform the following steps:

    1. Increase the storage space of the server or delete unnecessary files from the server.

    2. Check whether the server can provide sufficient space. If yes, fix the vulnerability again in the Security Center console.

    No permissions are granted to read or write the disk file system of the server on which the vulnerability is detected.

    If you do not have the read and write permissions on the disk file system, Security Center cannot download the patch package that is required to fix the vulnerability.

    To troubleshoot this failure, perform the following steps:

    1. Obtain the read and write permissions on the disk file system.

    2. After you obtain the permissions, fix the vulnerability again in the Security Center console.

    Linux software vulnerability: Configuration errors occur in the system update source for the server on which the vulnerability is detected.

    If configuration errors occur in the system update source or the YUM repositories are not updated to the latest version, Security Center cannot install the updates as expected.

    To troubleshoot this failure, perform the following steps:

    1. Reconfigure the system update source. The following methods are available:

      • Log on to the Security Center console and go to the Vulnerabilities page. In the upper-right corner of the page, click Settings. In the panel that appears, turn on Priority to use Alibaba Cloud source for YUM/APT Source Configuration.

        After you turn on the switch, Security Center automatically uses the YUM or APT source of Alibaba Cloud to download the update and fix the vulnerability. This increases the success rate of vulnerability fixes.

      • Make sure that the YUM repositories are up-to-date.

    2. Fix the vulnerability again in the Security Center console.

    Linux software vulnerability: The RPM database is corrupted.

    If the RPM database is corrupted, Security Center cannot install the software package that is required to fix the vulnerability.

    To troubleshoot this failure, perform the following steps:

    1. Run the rm -f /var/lib/rpm/_db.* command to delete the RPM lock file.

    2. Run the rpm -rebuilddb command to rebuild the RPM database.

    Note

    This command may take a long time to run.

    Windows system vulnerability: The prepatch for the vulnerability is missing.

    If the prepatch for the vulnerability is missing, the vulnerability fix may fail.

    To troubleshoot this failure, perform the following steps:

    1. Install the prepatch.

    2. After the prepatch is installed, fix the vulnerability again in the Security Center console.

    Windows system vulnerability: The Windows Update or Windows Modules Installer service is disabled on the server on which the vulnerability is detected.

    If the Windows Update or Windows Modules Installer service is disabled, Security Center cannot download the patch package that is required to update the server system.

    To troubleshoot this failure, perform the following steps:

    1. Enable the Windows Update and Windows Modules Installer services.

    2. Fix the vulnerability again in the Security Center console.

    Windows system vulnerability: Errors occur during the downloading and installation of the patch package that is required to fix the vulnerability.

    If the patch package is not found or is incompatible with the server operating system, the vulnerability fix may fail.

    To troubleshoot this failure, perform the following operations:

    • The patch package is not found.

      Download the patch package again. Then, fix the vulnerability.

    • The patch package is incompatible with the server operating system.

      Log on to the Security Center console and ignore the vulnerability on the Vulnerabilities page.

    • Another patch is being installed.

      You cannot install two patches at the same time. We recommend that you fix the vulnerability after the current patch is installed.

    Windows system vulnerability: Other errors occur on the server.

    None.

    To troubleshoot this failure, perform the following operations:

    3. Web-CMS vulnerabilities fail to be fixed. Why?

    If the system prompts that a fix failed when you fix a Web-CMS vulnerability in the Security Center console, follow the instructions in the following table to troubleshoot the failure.

    Note

    We recommend that you identify the cause of a fix failure by following instructions in the table from top to bottom.

    Cause

    Description

    Solution

    The network connection is abnormal.

    The network connection between the server and Security Center is abnormal. In this case, the Security Center agent is disconnected from Alibaba Cloud. This causes the vulnerability fix to fail.

    Fix the network connection error to bring the Security Center agent online. For more information, see Identify why the Security Center agent is offline.

    The Security Center agent of the server on which the vulnerability is detected is disconnected from Alibaba Cloud.

    If the Security Center agent is disconnected from Alibaba Cloud, the vulnerability fix may fail. Specific issues may cause the Security Center agent to be disconnected from Alibaba Cloud. For example, the network connection between the server and Security Center is abnormal, or the CPU utilization or memory usage of the server is excessively high.

    Troubleshoot the Security Center agent disconnection. For more information, see Identify why the Security Center agent is offline.

    The disk or memory space of the server on which the vulnerability is detected is insufficient.

    If the disk does not have sufficient space, Security Center cannot download the patch package that is required to fix the vulnerability.

    To troubleshoot this failure, perform the following steps:

    1. Increase the storage space of the server or delete unnecessary files from the server.

    2. Check whether the server can provide sufficient space. If yes, fix the vulnerability again in the Security Center console.

    Third-party security software is installed on the server on which the vulnerability is detected.

    If security software, such as SafeDog, is installed on the server and you have optimized directory permissions or modified relevant settings by using the software, the system account may not have permissions to write the files in the www directory and its subdirectories. As a result, the vulnerability fix may fail.

    Check whether the system account has the read and write permissions on the www directory and its subdirectories. If no, manually grant the permissions to the system account.

    The vulnerability file does not exist.

    If the vulnerability file is deleted, Security Center prompts that the fix failed.

    To troubleshoot this failure, perform the following steps:

    1. Check whether the vulnerability file is deleted from the required server directory, which can be obtained from the vulnerability details in the Security Center console.

    2. If the vulnerability file is deleted, ignore the vulnerability.

    4. After I fix a vulnerability, the status of the vulnerability is still Unfixed. Why?

    After you fix a vulnerability, the status of the vulnerability is not automatically updated. The status is updated only after you perform a vulnerability scan. The following list describes possible causes and solutions. The causes and solutions vary based on the Security Center edition.

    • Basic and Anti-virus: The vulnerability is still in the Unfixed state because latency exists in vulnerability scans. Security Center automatically scans for vulnerabilities every two days. We recommend that you check the status of the vulnerability two days after you fix the vulnerability.

    • Advanced, Enterprise, and Ultimate: After you fix the vulnerability, you must manually perform a vulnerability scan. After the vulnerability scan is complete, you can view the latest status of the vulnerability. For more information, see Scan for vulnerabilities.

    5. Does Security Center automatically fix vulnerabilities?

    No, Security Center does not automatically fix vulnerabilities. Security Center supports only the vulnerability detection and quick fixing features. After you enable the quick fixing feature, Security Center delivers vulnerability fixing tasks online. When Security Center scans for vulnerabilities, Security Center also verifies whether the vulnerabilities are fixed. If a previously detected vulnerability is not detected in the vulnerability scan, Security Center changes the status of the vulnerability to Fixed. A previously detected vulnerability may not be detected in the vulnerability scan due to the following reasons: You logged on to the server on which the vulnerability is detected and manually updated the software package. The container on which the vulnerability is detected stops running. The components of the vulnerability do not exist. The process on which the vulnerability is detected does not exist.

    References

    How often does Security Center detect vulnerabilities?

    What are the differences between baselines and vulnerabilities?

    What do I do if I cannot enable the vulnerability detection feature for a server in the Assets module?