Scan for vulnerabilities - Security Center

To ensure the security of your assets, we recommend that you scan your assets for vulnerabilities on a regular basis. This topic describes the types of vulnerabilities that can be detected and fixed by Security Center. This topic also describes how to run an automatic periodic scan task on your servers and manually perform vulnerability scan.

Vulnerabilities that can be detected and fixed

Vulnerability scan and fixing

The following table describes the types of vulnerabilities that can be detected and fixed in each edition of Security Center.

Security Center scans for application vulnerabilities based on the following methods:

Web Scanner: inspects network traffic to detect vulnerabilities in your system. For example, you can use this method to scan for SSH weak passwords and remote command execution.
Software Component Analysis: identifies software versions to detect vulnerabilities in your system. For example, you can use this method to scan for vulnerabilities in Apache Shiro authorization and Kubernetes kubelet resource management.

Note

The following symbols are used in the table:

: Support.
: Not Support.

Vulnerability type	Feature	Basic edition	Value-added Plan edition	Anti-virus edition	Advanced edition	Enterprise edition	Ultimate edition
Linux software vulnerability	Manual vulnerability scan
	Periodic automatic vulnerability scan
	Vulnerability fixing		You must purchase a quota for vulnerability fixing or purchase vulnerability fixing based on the pay-as-you-go billing method.	You must purchase a quota for vulnerability fixing or purchase vulnerability fixing based on the pay-as-you-go billing method.
Windows system vulnerability	Manual vulnerability scan
	Periodic automatic vulnerability scan
	Vulnerability fixing		You must purchase a quota for vulnerability fixing.	You must purchase a quota for vulnerability fixing.
Web-CMS vulnerability	Manual vulnerability scan
	Periodic automatic vulnerability scan
	Vulnerability fixing
Application vulnerability	Manual vulnerability scan
	Periodic automatic vulnerability scan
	Vulnerability fixing
Urgent vulnerability	Manual vulnerability scan
	Periodic automatic vulnerability scan
	Vulnerability fixing

Web-CMS vulnerabilities that can be detected

Component Type	Check item
74CMS	Multiple SQL injection vulnerabilities in 74CMS
	Privilege escalation vulnerability in 74CMS
	SQL injection vulnerability in 74CMS
	Arbitrary file deletion vulnerability in 74CMS v4.1.15
	Arbitrary file read vulnerability in the latest version of 74CMS
DedeCMS	Variable overwrite vulnerability in DedeCMS
	Arbitrary file upload vulnerability in DedeCMS
	Reinstallation vulnerability in DedeCMS
	Injection vulnerability in DedeCMS
	File upload vulnerability in DedeCMS
	Password resetting vulnerability in DedeCMS
	Vulnerability of arbitrary user logon from the frontend caused by cookie leaks in DedeCMS
	SQL injection vulnerability caused by session variable overwriting in DedeCMS
	Vulnerability of arbitrary file upload at the backend in DedeCMS
	SQL injection vulnerability in DedeCMS
	Template SQL injection vulnerability in DedeCMS
	SQL injection vulnerability caused by cookie leaks in DedeCMS
	Payment plug-in injection vulnerability in DedeCMS
	Arbitrary file deletion by registered users in DedeCMS V5.7
	CSRF protection bypass vulnerability in DedeCMS V5.7
	Arbitrary file upload by common users in DedeCMS select_soft_post.php
	Arbitrary file upload vulnerability in DedeCMS V5.7 SP2 (CVE-2019-8362)
Discuz	Code execution vulnerability in Discuz!
	MemCache + ssrf permission acquisition vulnerability (GetShell) in Discuz!
	Backend SQL injection vulnerability in Discuz!
	Arbitrary attachment download caused by privilege escalation vulnerabilities in Discuz!
	Arbitrary file deletion vulnerability in Discuz!
	Encrypted message forgery vulnerability caused by authcode function defects in Discuz!
	Command execution vulnerability in the backend database backup feature of Discuz!
ECShop	Code injection vulnerability in ECShop
	Password retrieval vulnerability in ECShop
	Injection vulnerability in ECShop
	ECShop backdoor
	Arbitrary user logon vulnerability in ECShop
	Backend SQL injection vulnerability in ECShop
	SQL injection vulnerability in ECShop
	Vulnerability of overwriting variables in the ECShop installation directory at the backend
	Code execution caused by SQL injection vulnerabilities in ECShop
	Secondary injection vulnerability in ECShop
	Backend permission acquisition vulnerability in ECShop (GetShell)
	Backend file download vulnerability in ECShop 2.7.3
FCKEditor	Arbitrary file upload vulnerability in FCKeditor
Joomla	Remote code execution (RCE) vulnerability caused by malformed deserialized packet injection in Joomla!
	Unauthorized user creation vulnerability in Joomla! (CVE-2016-8870)
	Core SQL injection vulnerability in Joomla! 3.7.0
	SQL injection vulnerability in Joomla!
PHPCMS	Injection vulnerability in PHPCMS
	AuthKey leak vulnerability in PHPCMS
	Wide byte injection vulnerability in PHPCMS v9
	Arbitrary file read vulnerability caused by frontend code injection in PHPCMS
	Permission acquisition vulnerability caused by specific logic issues in PHPCMS (GetShell)
	AuthKey leak caused by AuthKey generation algorithm issues in PHPCMS
	SQL injection vulnerability in PHPCMS v9.6.2
	common.inc RCE vulnerability in PHPCMS 2008
	RCE vulnerability in template cache of PHPCMS 2008
phpMyAdmin	Deserialized injection vulnerability in phpMyAdmin
	CVE-2016-6617 SQL injection vulnerability in phpMyAdmin
	Permission acquisition vulnerability caused by checkPageValidity function defects in phpMyAdmin version 4.8.1 and earlier (GetShell)
	phpMyAdmin 4.8.5
phpwind	GET request CSRF vulnerability in PHPWind v9 task center
	Permission acquisition vulnerability caused by MD5 padding vulnerabilities in PHPWind v9 (GetShell)
	Backend SQL injection vulnerability in PHPWind
	Cross-site scripting (XSS) injection into UBB tag attributes in PHPWind
ThinkPHP5	Medium-risk permission acquisition vulnerability caused by cache function design flaws in ThinkPHP 5.0.10-3.2.3 (GetShell)
	High-risk RCE vulnerability in ThinkPHP 5.0
	RCE vulnerability in ThinkPHP 5.1.X to 5.1.30 (included)
	High-risk Request.php RCE vulnerability in versions earlier than ThinkPHP 5.0.24
WordPress	Arbitrary file upload vulnerability in WordPress
	IP address verification vulnerability in WordPress
	WP_Image_Editor_Imagick instruction injection vulnerability in WordPress
	XSS vulnerability in the bbPress plug-in of WordPress
	Mailpress RCE vulnerability in WordPress
	DOS vulnerability caused by arbitrary directory traversal in the backend plug-in update module of WordPress
	SQL injection vulnerability caused by arbitrary user logon to the backend plug-in of WordPress
	Username enumeration vulnerability in versions earlier than WordPress 4.7.1 (CVE-2017-5487)
	SQL injection vulnerability in WordPress
	XSS vulnerability in WordPress
	Content injection vulnerability in WordPress
	RCE vulnerabilities caused by the sitename field in WordPress Mail
	SQL injection vulnerability in the Catalogue plug-in of WordPress
	Arbitrary file deletion vulnerability in WordPress
	Permission acquisition vulnerability caused by multiple defects, such as Author permission path traversal in WordPress (GetShell)

Application vulnerabilities that can be detected

Vulnerability type	Check item
Weak passwords in system services	OpenSSH services
	MySQL database services
	Microsoft SQL Server (MSSQL) database services
	MongoDB database services
	FTP, VSFTP, and ProFTPD services
	Memcache cache services
	Redis caching services
	Subversion control services
	Server Message Block (SMB) file sharing services
	Simple Mail Transfer Protocol (SMTP) email delivery services
	Post Office Protocol 3 (POP3) email reception services
	Internet Message Access Protocol (IMAP) email management services
Vulnerabilities in system services	OpenSSL heartbleed vulnerabilities
	SMB Samba Brute-force attacks against weak passwords
	RSYNC Anonymous access to sensitive data Brute-force attacks against password-based authentication
	Brute-force attacks against Virtual Network Console (VNC) passwords
	Brute-force attacks against pcAnywhere passwords
	Brute-force attacks against Redis passwords
Vulnerabilities in application services	phpMyAdmin weak passwords
	Tomcat console weak passwords
	Apache Struts 2 remote command execution vulnerabilities
	Apache Struts 2 remote command execution vulnerability (S2-046)
	Apache Struts 2 remote command execution vulnerability (S2-057)
	Arbitrary file uploads in ActiveMQ (CVE-2016-3088)
	Arbitrary file reads in Confluence
	CouchDB Query Server remote command execution
	Brute-force attacks against administrator weak passwords in Discuz!
	Unauthorized access to Docker
	Remote code execution in Drupal Drupalgeddon 2 (CVE-2018-7600)
	ECshop code execution vulnerabilities in logon endpoints
	Unauthorized access to Elasticsearch
	Elasticsearch MvelRCE CVE-2014-31
	Elasticsearch Groovy RCE CVE-2015-1427
	Expression Language (EL) Injection in Weaver OA
	Unauthorized access to Hadoop YARN ResourceManager
	Path traversal in JavaServer Faces 2
	Java deserialization in JBoss EJBInvokerServlet
	Anonymous access to Jenkins Manage (CVE-2018-1999001 and CVE-2018-1999002)
	Unauthorized access to Jenkins
	Jenkins Script Security Plugin RCE
	Unauthorized access to Kubernetes
	SQL injection vulnerabilities in the MetInfo getPassword interface
	SQL injection vulnerabilities in the MetInfo logon interface
	Arbitrary file uploads in PHPCMS 9.6
	PHP-CGI remote code execution vulnerabilities
	Actuator unauth RCE
	ThinkPHP_RCE_20190111
	Server-side request forgery (SSRF) in WebLogic UDDI Explorer
	SSRF in WordPress xmlrpc.php
	Brute-force attacks against the Zabbix web console
	OpenSSL heartbleed detection
	Unauthorized access to the WEB-INF directory in Apache Tomcat

Server IP addresses of the web scanner

When you use Security Center to scan for application vulnerabilities and urgent vulnerabilities in your servers, Security Center simulates attacks that are launched from the Internet to scan your servers. Security Center only sends request packets, but does not perform malicious operations. If your servers are protected by a security protection or monitoring system, such as Web Application Firewall (WAF) or Secure Operations Center (SOC), we recommend that you add the server IP addresses of the web scanner to the whitelist in your security protection or monitoring system. This ensures that your scan tasks run as expected. You must add the following IP addresses to the whitelist in your security protection or monitoring system: 47.110.180.32, 47.110.180.33, 47.110.180.34, 47.110.180.35, 47.110.180.36, 47.110.180.37, 47.110.180.38, 47.110.180.39, 47.110.180.40, 47.110.180.41, 47.110.180.42, 47.110.180.43, 47.110.180.44, 47.110.180.45, 47.110.180.46, 47.110.180.47, 47.110.180.48, 47.110.180.49, 47.110.180.50, 47.110.180.51, 47.110.180.52, 47.110.180.53, 47.110.180.54, 47.110.180.55, 47.110.180.56, 47.110.180.57, 47.110.180.58, 47.110.180.59, 47.110.180.60, 47.110.180.61, 47.110.180.62, and 47.110.180.63.

Note

The s0x.cn domain name is an auxiliary domain name used by Security Center to detect application vulnerabilities and urgent vulnerabilities, which operates independently of the whitelist settings.

Procedure

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Risk Governance > Vulnerabilities.

On the Vulnerabilities page, manually perform vulnerability scan or run an automatic periodic scan task on your servers.

Manually perform vulnerability scan: If you want to immediately check whether vulnerabilities exist in your servers, you can use the quick scan feature to scan your servers for vulnerabilities.
Before you perform quick scan, perform the following steps to check whether the required servers are added: Click Vulnerability Settings in the upper-right corner of the Vulnerabilities page. In the Vulnerability Settings panel, click Manage to the right of a vulnerability type.
1. On the Vulnerability Management page, click Scan now.
2. In the Vulnerability Scan dialog box, select the type of vulnerabilities for which you want to scan and click OK.
  After a scan task is created, wait for at least 15 minutes before you can stop the scan task.
  Note
  If you did not specify the servers on which the vulnerability scan task runs, the scan task runs on all assets that are protected by Security Center and is complete within 30 minutes. You can refresh the page to view the most recent scan results.

Run an automatic periodic scan task.

You can configure a scan cycle for an automatic periodic scan task. Then, Security Center runs the automatic periodic scan tasks to scan for vulnerabilities on your servers on a regular basis.

In the upper-right corner of the Vulnerability Management page, click Vulnerability Settings.

In the Vulnerability Settings panel, configure the parameters based on your business requirements. The following table describes the parameters.

Parameter	Description
Linux Software Vulnerability	Turn on or turn off the switches to enable or disable the scan for Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, and urgent vulnerabilities. After you turn on a switch, you can click Manage on the right side to add or remove servers that you want to scan for the corresponding vulnerabilities.
Windows System Vulnerability
Web-CMS Vulnerability
Urgent Vulnerability
Application Vulnerability	Turn on or turn off the switch to enable or disable the scan for application vulnerabilities.
YUM/APT Source Configuration	Turn on or turn off the switch to specify whether to preferentially use YUM or APT sources of Alibaba Cloud to fix vulnerabilities. Before you fix a Linux software vulnerability, you must specify a valid YUM or APT source. If you specify an invalid YUM or an APT source, the vulnerability may fail to be fixed. After you turn on the switch, Security Center automatically selects a YUM or APT source of Alibaba Cloud. This improves the success rate of vulnerability fixing. We recommend that you turn on YUM/APT Source Configuration.
Emergency vul(s) Scan Cycle	Specify the scan cycle for urgent vulnerabilities. Note Only the Advanced, Enterprise, and Ultimate editions are supported. The default scan period is 00:00:00 to 07:00:00. If your servers are deployed in a private network or urgent vulnerability detection is not required, you can set the Emergency vul(s) Scan Cycle parameter to Stop. Your servers may be attacked in various ways. We recommend that you set the Emergency vul(s) Scan Cycle parameter to a value other than Stop. This way, Security Center detects urgent vulnerabilities on your servers in a timely manner.
Application Vul(s) Scan Cycle	Specify the scan cycle for application vulnerabilities. Note Only the Enterprise and Ultimate editions are supported. The default scan period is 00:00:00 to 07:00:00.
Retain Invalid Vul for	Specify the number of days after which a detected vulnerability is automatically deleted. If you do not handle a detected vulnerability and the vulnerability is no longer detected in multiple subsequent detection operations, the vulnerability is automatically deleted from the Vulnerabilities page after the specified number of days. If vulnerabilities of the same type are detected later, Security Center still generates alerts.
Vul scan level	Specify priorities for the vulnerabilities that you want Security Center to detect. Security Center detects and displays only the vulnerabilities with the priorities that you specify. For example, if you select High and Medium, Security Center detects the vulnerabilities with the High and Medium priorities to fix.
Vulnerability Whitelist Settings	If you do not want Security Center to detect a vulnerability, you can click Create Rule to add the vulnerability to the vulnerability whitelist. Note After you create a vulnerability whitelist rule, you can modify the scope of the whitelist rule and delete the whitelist rule.

What to do next

View the progress of vulnerability scan
After you complete the configurations, Security Center scans your servers for vulnerabilities based on the configurations. You can click Task Management in the upper-right corner of the Vulnerability Management page to go to the Task Management page. Then, you can view the progress of the vulnerability scan. After the vulnerability scan is complete, you can click a tab on the Vulnerabilities page to view the most recent scan results.
View and handle vulnerabilities
After the vulnerability scan is complete, you can view and handle the detected vulnerabilities on the Vulnerability Management page. For more information, see View and handle vulnerabilities.

Security Center：Scan for vulnerabilities