All Products
Search
Document Center

Security Center:View and handle vulnerabilities

更新時間:Aug 13, 2024

Vulnerabilities in a system provide an opportunity for attackers to intrude into the system. You can fix the vulnerabilities at the earliest opportunity to reduce potential security risks. Security Center provides detailed information about system vulnerabilities and allows you to fix some vulnerabilities with a few clicks. This helps you manage system security in an efficient manner. This topic describes how to view and handle vulnerabilities.

Prerequisites

A vulnerability scan is complete. For more information, see Scan for vulnerabilities.

View vulnerability scan results

View all vulnerabilities

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Risk Governance > Vulnerabilities.

  3. On the Vulnerabilities page, view the results of the vulnerability scan.

    • View the statistical information about vulnerability scan results.

      The following table describes the statistical information about vulnerability scan results.image

      No.

      Description

      The total number of security bulletins for high-risk vulnerabilities that are detected on your assets. If multiple security bulletins are matched for a single server, multiple security bulletins are counted.

      The number of security bulletins for Linux software vulnerabilities that are detected on your assets. The number next to each vulnerability type indicates the number of security bulletins for vulnerabilities of this type that are detected on your assets.

      The number of assets on which the vulnerabilities involved in a security bulletin are detected. The display color of the number indicates the priority to fix the vulnerabilities. The following list describes numbers in different colors:

      • Red: the number of servers on which vulnerabilities of the High priority are detected.

      • Orange: the number of servers on which vulnerabilities of the Medium priority are detected.

      • Gray: the number of servers on which vulnerabilities of the Low priority are detected.

      We recommend that you fix the vulnerabilities that have the High priority at the earliest opportunity. For more information, see Priorities to fix vulnerabilities.

    • View the overview of the vulnerability scan results

      In the upper part of the Vulnerabilities page, you can view the overall information about vulnerabilities.

      Parameter

      Description

      Recommended Fix (CVE)

      Click the number below Recommended Fix (CVE) to go to the Recommended Fix (CVE) panel. In this panel, you can view security bulletins for all types of vulnerabilities with the high priority. For more information about how to fix vulnerabilities, see Purchase the vulnerability fixing feature.

      Vul Servers

      Click the number below Vul Servers to go to the Server tab of the Host page. On the Server tab, you can view the details about the servers on which vulnerabilities are detected.

      VFixing

      Click the number below Fixing to go to the Fixing panel. In this panel, you can view the list of vulnerabilities that are being fixed and the fixing progress.

      Total Handled Vulnerabilities

      Click the number below Total Handled Vulnerabilities to go to the Total Handled Vulnerabilities panel. In this panel, you can view the list of affected assets for all vulnerabilities that are fixed and the related information.

      Hover the mouse over the image icon to view the number of vulnerabilities fixed today. Click More to view the detailed list of vulnerabilities fixed today on the Handled Vulnerabilities Today page.

      Disclosed Vulnerabilities

      Click the number below Disclosed Vulnerabilities to go to the Detectable Vulnerabilities panel. In this panel, you can view the list of details about the vulnerabilities that can be detected by Security Center. The details include CVE IDs, vulnerability names, vulnerability detection methods, vulnerability disclosure time, and vulnerability types. In this panel, you can also enter a CVE ID or a vulnerability name above the vulnerability list to search for a vulnerability. This way, you can check whether the vulnerability can be detected by Security Center. You can click the CVE ID of a vulnerability to view details about the vulnerability in the Alibaba Cloud vulnerability library.

      Defended Application Vulnerabilities

      Click the number under Defended Application Vulnerabilities to go to the Protection Configuration > Application Protection page to view the statistics of vulnerabilities defended by the application protection feature.

      Note

      Only users who have purchased quota for the application protection can view these statistics. For more information about how to purchase the feature, see Use the application protection feature.

    • View security bulletins

      Click the tab of a vulnerability type to view the security bulletins for vulnerabilities of the type that are detected by Security Center on your assets.

      Note

      If the new icon is displayed to the right of a security bulletin, the priority of the vulnerabilities involved in the security bulletin has been changed in the previous 15 days, or the vulnerabilities are recently disclosed.

    • Search for target vulnerabilities

      Use the filters and search box above the list of security bulletins to search for target vulnerabilities by the vulnerability priorities, vulnerability handling status, vulnerability names, or CVE IDs.

    • View vulnerability details

      Click a security bulletin to go to the details panel. In the panel, you can view the details about the vulnerabilities and the list of unhandled vulnerabilities. The list of unhandled vulnerabilities shows all assets where the vulnerability was detected. If multiple processes on a single server match the vulnerability, the list of unhandled vulnerabilities will display multiple entries.

      For more information, see Parameters in the panel that displays the details of a security bulletin for Linux software vulnerabilities.

      In the details panel, you can click the Unhandled Vulnerabilities tab to view the fixing status of a vulnerability in the Status column.

      Handled or not

      Status

      Description

      Handled

      Fixed

      The vulnerability is fixed.

      Fixing Failed

      Security Center failed to fix the vulnerability. The file that contains the vulnerability may have been modified or does not exist.

      Ignored

      The vulnerability is ignored. Security Center no longer generates alerts for this vulnerability.

      Invalid

      The vulnerability has not been detected in the specified time period. The following list describes the time periods after which vulnerabilities are considered invalid for different types of vulnerabilities:

      • Linux software vulnerabilities and Windows system vulnerabilities: 3 days

      • Web-CMS vulnerabilities: 7 days

      • Application vulnerabilities: 30 days

      • Urgent vulnerabilities: 90 days

      Unhandled

      Unfixed

      The vulnerability is not fixed.

      Verifying

      After you manually fix a vulnerability, you can click Verify in the Actions column to check whether the vulnerability is fixed. After you click Verify, the status of the vulnerability changes to Verifying from Unfixed.

    • Export the list of security bulletins.

      Click the 导出 icon in the upper-right corner of the vulnerability list to export the list of security bulletins.

View exploitable vulnerabilities

The exploitable vulnerability model of Security Center evaluates vulnerabilities based on the following factors: Alibaba Cloud vulnerability scoring system, time score, environment score, asset importance score, proof of concept (PoC), exploitability, and vulnerability severity. This way, the exploitable vulnerabilities are automatically identified. You can turn on Show only real risk vulnerabilities to help you fix the exploitable vulnerabilities at the earliest opportunity and improve the fixing efficacy. If you turn off Show only real risk vulnerabilities, all vulnerabilities are displayed. You can perform the following operations to turn on Show only real risk vulnerabilities:

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Risk Governance > Vulnerabilities.

  3. On the Vulnerabilities page, turn on Show only real risk vulnerabilities.

    After you turn on the switch, exploitable vulnerabilities are displayed in the Security Center console.

Purchase the vulnerability fixing feature

  • If you use the Advanced, Enterprise, or Ultimate edition, you do not need to purchase the feature. You are provided an unlimited quota to fix the vulnerabilities that are detected on the protected servers within your account.

  • If you use the Basic, Value-added Plan, or Anti-virus edition, you must purchase the vulnerability fixing feature based on the pay-as-you-go or subscription billing method.

Important
  • If you purchase a quota for the vulnerability fixing feature based on the pay-as-you-go billing method, you can use the vulnerability fixing feature to fix only Linux software vulnerabilities and Windows system vulnerabilities.

  • If you want to disable the pay-as-you-go billing method, you can click Suspended in the Pay-as-you-go Vulnerability Fixing section of the Vulnerabilities page.

Handle vulnerabilities

Security Center can fix different types of vulnerabilities. For more information about the vulnerability fixing feature in different editions of Security Center, see Types of vulnerabilities that can be detected and fixed.

Important

If you fix vulnerabilities, risks may occur. We recommend that you fix vulnerabilities during off-peak hours to minimize impacts.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose Risk Governance > Vulnerabilities.

  3. On the Vulnerabilities page, handle vulnerabilities.

    Fix Linux software vulnerabilities, Windows system vulnerabilities, and Web-CMS vulnerabilities

    Security Center allows you to fix and ignore vulnerabilities. In this example, a Linux software vulnerability is used. The following list describes how to fix and ignore a Linux software vulnerability:

    • Fix

      If you confirm that the vulnerability needs to be fixed, you can use the quick fixing feature in the Security Center console or log on to the required server to fix the vulnerability.

      • Quick fixing (recommended)

        Security Center allows you to use the quick fixing feature to fix one or more Linux software vulnerabilities, Windows system vulnerabilities, and Web-CMS vulnerabilities at a time on a server.

        • In the security bulletin list of the Linux Software Vulnerability tab, find and click the required security bulletin.

        • In the panel that appears, click the Unhandled Vulnerabilities tab. In the vulnerability list, find the required server and click Fix in the Actions column. In the Fix dialog box, select Automatically Create Snapshot and Fix Risk or Skip snapshot backup and fix directly and click Fix Now.

          You can select multiple servers and click Fix below the vulnerability list to fix the vulnerabilities on the selected servers at the same time.

          Warning

          In most cases, if you use the quick fixing method, you need to update the version of your system kernel or upgrade the software in which vulnerabilities are detected. However, if you update the system kernel version or upgrade software, incompatibility issues may occur, and your business may be affected. We recommend that you select Automatically Create Snapshot and Fix Risk to create a snapshot for your system. You can use a created snapshot to roll back your system to the time before you fix vulnerabilities. This helps quickly restore your business.

      • Manual fixing

        • In the security bulletin list of the Linux Software Vulnerability tab, find the required security bulletin and click the CVE ID of the vulnerability that you want to fix in the CVE ID column to go to the Alibaba Cloud vulnerability library.

        • In the SOLUTION section, view the solution to the vulnerability. Then, log on to the required server to fix the vulnerability based on the solution.

          Important

          Risks may occur during the vulnerability fixing process. Before you fix a vulnerability, we recommend that you back up the data on your server. If your server is an Elastic Compute Service (ECS) instance, you can create a snapshot of the instance to back up data. For more information, see Create a snapshot for a disk.

        • After the vulnerability is fixed, go back to the Security Center console. On the Vulnerabilities page, find and click the security bulletin for the fixed vulnerability to go to the details panel of the vulnerability. In the vulnerability list of the Unhandled Vulnerabilities tab, find the server on which you fixed the vulnerability and click Verify in the Actions column to check whether the vulnerability is successfully fixed. If the vulnerability is successfully fixed, the status of the vulnerability changes to Fixed.

    • Ignore and add to whitelist

      If you confirm that the vulnerability does not need to be fixed for the current asset, you can use the Ignore and Add to whitelist features provided by Security Center. In this example, a Linux software vulnerability is used. You can perform the following operations to ignore and add to whitelist a Linux software vulnerability:

      Ignore

      • In the security bulletin list of the Linux Software Vulnerability tab on the Vulnerabilities page, find and click the required security bulletin.

      • In the vulnerability list of the Unhandled Vulnerabilities tab in the panel that appears, select one or more servers for which you want to ignore the detected vulnerabilities and click Ignore below the vulnerability list. In the dialog box that appears, enter a description and click OK.

      • Optional. Go back to the Vulnerabilities page. Click the number under the Total Handled Vulnerabilities tab to view the list of ignored vulnerabilities.

        image.png

      Add to whitelist

      • In the security bulletin list of the Linux Software Vulnerability tab, select one or more vulnerabilities you want to add to the whitelist, click Add to Whitelist at the bottom of the list, fill in the remarks in the pop-up dialog box, and click Confirm.

      • Click Settings on the Vulnerabilities page, and in the Vulnerability Whitelist Settings tab of the Settings page, you can view the list of all vulnerabilities added to the whitelist.

        image

      • (Optional) You can also click Create Rule in the Vulnerability Whitelist Settings tab of the Settings page, select the vulnerabilities you need to add to the whitelist on the Create Vulnerability Whitelist Rule page, and click Confirm.

    Fix application vulnerabilities and urgent vulnerabilities

    Application vulnerabilities and urgent vulnerabilities do not support quick fixing. If you want to fix these types of vulnerabilities, you must log on to the server on which the vulnerabilities are detected and manually fix the vulnerabilities based on the fix suggestions that are provided on the details pages of the vulnerabilities. In this example, an application vulnerability is used. The following list describes how to fix and ignore an application vulnerability:

    • Fix

      If you confirm that the vulnerability needs to be fixed, you can log on to the required server to manually fix the vulnerability.

      1. In the security bulletin list of the Application Vulnerability tab, find and click the required security bulletin to view the details about the vulnerability and Suggestions.

      2. Optional. On the Application Vulnerability tab, find the required security bulletin and click Enable Protection Now in the Actions column. In the panel that appears, add the affected assets to the application protection feature. The assets are protected against the vulnerabilities involved in the security bulletin. For more information, see Manage application vulnerabilities.

      3. In the vulnerability list of the Unhandled Vulnerabilities tab in the panel that appears, find the required server and click Details in the Actions column. You can view the details about the vulnerabilities that are detected on the server.

      1. After the vulnerability is fixed, go back to the Security Center console. On the Vulnerabilities page, find and click the security bulletin for the fixed vulnerability to go to the details panel of the vulnerability. In the vulnerability list of the Unhandled Vulnerabilities tab, find the server on which you fixed the vulnerability and click Verify in the Actions column to check whether the vulnerability is successfully fixed.

        If the vulnerability is successfully fixed, the status of the vulnerability changes to Fixed.

      2. If an application vulnerability is detected based on software component analysis, perform the following operations to view the reason why the vulnerability is successfully fixed: In the vulnerability list of the Unhandled Vulnerabilities tab, find the vulnerability and click Details in the Actions column.

        The vulnerability may be successfully fixed due to the following reasons:

        • The vulnerability detection rule is unpublished.

        • The process does not exist.

        • The component does not exist.

        • The component is updated. If this reason is displayed, the current version of the component is also displayed.

      3. Optional. If an application vulnerability fails to be fixed, find the vulnerability in the vulnerability list on the Unhandled Vulnerabilities tab and click Enable Protection Now in the Actions column. Then, you are redirected to the Application Protection page. You can add the related application process to the application protection feature. For more information, see Use the application protection feature.

        The application protection feature can effectively defend against attacks that exploit application vulnerabilities, zero-day vulnerabilities, and in-memory webshells. The following list describes the status of affected assets based on protection scenarios:

        • If the assets that are affected by an application vulnerability are added to the application protection feature in automatic access mode, Protected is displayed in the Actions column of the assets.

        • If the assets that are affected by an application vulnerability are added to the application protection feature in manual access mode, click Verify in the Actions column or re-scan for application vulnerabilities. Then, Protected is displayed in the Actions column.

    • Ignore and add to whitelist

      If you confirm that the vulnerability does not need to be fixed for the current asset, you can use the Ignore and Add to whitelist features. Subsequent scans will not report vulnerabilities that have been added to the whitelist. In this example, an application vulnerability is used. You can perform the following operations to ignore an application vulnerability:

      Note

      Ignoring application vulnerabilities essentially means ignoring processes. If you ignore a vulnerability, it may be detected again when a new process starts. If you do not want new vulnerabilities to be generated, it is recommended to add the target vulnerability to the whitelist.

    Ignore

    1. In the security bulletin list of the Application Vulnerability tab of the Vulnerabilities page, find and click the required security bulletin.

    2. In the vulnerability list of the Unhandled Vulnerabilities tab in the panel that appears, select one or more servers for which you want to ignore the detected vulnerabilities and click Ignore below the vulnerability list.

    3. Return to the Vulnerabilities page, click the number under Total Handled Vulnerabilities. In the Total Handled Vulnerabilities page, under the Application Vulnerability tab, you can view the details of ignored application vulnerabilities.

      image

    Add to whitelist

    1. In the Vulnerabilities page, under the Application Vulnerability tab, select one or more vulnerabilities you want to add to the whitelist, click Add to Whitelist at the bottom of the list, fill in the remarks in the pop-up dialog box, and click Confirm.

      Note

      You can also click Create Rule in the Vulnerability Whitelist Settings tab of the Settings page, select the vulnerability you need to add to the whitelist on the Create Vulnerability Whitelist Rule page, and click Confirm.

    2. Click Settings on the Vulnerabilities page. In the Vulnerability Whitelist Settings tab of the Settings panel, you can view the list of all vulnerabilities added to the whitelist.

      image

Parameters in the panel that displays the details of a security bulletin for Linux software vulnerabilities

Parameter

Description

CVE ID

The CVE ID of a vulnerability. The CVE system provides a reference method for publicly known information security vulnerabilities and exposures. You can use CVE IDs, such as CVE-2018-1123, to query relevant information about vulnerability fixes in databases that are compatible with CVE. This way, security issues can be resolved.

Impact

The Common Vulnerability Scoring System (CVSS) score of a vulnerability. A CVSS score follows the widely accepted industry standard and is calculated by using the formula that depends on several attributes of the vulnerability. The score is used to determine the severity of the vulnerability. You can use the score to determine the priority to fix the vulnerability.

The following list describes the severity rating scale in CVSS v3.0:

  • 0: none.

  • 0.1 to 3.9: low-severity vulnerabilities.

    • Vulnerabilities that can cause local DoS attacks

    • Vulnerabilities that have minor impacts

  • 4.0 to 6.9: medium-severity vulnerabilities.

    • Vulnerabilities that affect users only during system and user interactions.

    • Vulnerabilities that attackers can exploit to perform unauthorized operations.

    • Vulnerabilities that attackers can exploit after the attackers change the configurations of on-premises machines or obtain important information.

  • 7.0 to 8.9: high-severity vulnerabilities.

    • Vulnerabilities that attackers can exploit to indirectly obtain permissions on the operating system of your server and applications.

    • Vulnerabilities that attackers can exploit to read, write, download, or delete files.

    • Vulnerabilities that can cause sensitive data leaks.

    • Vulnerabilities that can cause service interruptions or remote DoS attacks.

  • 9.0 to 10.0: critical-severity vulnerabilities.

    • Vulnerabilities that attackers can exploit to directly obtain permissions on your server.

    • Vulnerabilities that attackers can exploit to directly obtain sensitive data and cause data leaks.

    • Vulnerabilities that can cause unauthorized access to sensitive data.

    • Vulnerabilities that can cause large-scale impacts.

Affected assets

The information about assets that are affected by vulnerabilities. The information includes the public and private IP addresses of the assets.

Severity

The priority of the vulnerability, which is calculated based on the CVSS score and importance level of the vulnerability. The following items describe the priorities:

  • High: We recommend that you fix high-priority vulnerabilities at the earliest opportunity.

  • Medium: You can fix medium-priority vulnerabilities based on your business requirements.

  • Low: You can fix or ignore low-priority vulnerabilities based on your business requirements.

Details

Click the vulnerability name in the Vulnerability list of the Vulnerabilities page. The details of the vulnerability. Click Details in the Actions column of the Unhandled Vulnerabilities tab to view details such as the affected assets, fix command and impact description.

  • Fix Command: the command that you can run to fix the involved Linux software vulnerability.

    Note

    If you use Security Center Basic, you cannot view this type of command in the console.

  • Impact description:

    • Software: the current version of the software. The following figure is an example to show that the version of mariadb-libs on the server is 5.5.52-1.el7.

    • Hit: the reason based on which the vulnerability is detected. In most scenarios, the reason is that the software is outdated. The following figure is an example to show that the version of mariadb-libs is earlier than 5.5.56-2.el7.

    • Path: the path of the vulnerability program on your server. The following figure is an example to show that the path of mariadb-libs is /etc/ld.so.conf.d/mariadb-x86_64.con.

  • Caution: important notes, prevention tips, and references for the vulnerabilities.

    image

References