Fix vulnerabilities

更新时间:
复制 MD 格式

Security Center provides vulnerability management capabilities to scan and fix common vulnerability types, helping you comprehensively understand and promptly address vulnerability risks across your assets. This topic describes the best practices for prioritizing, processing, and fixing vulnerabilities using Security Center.

Vulnerability fix priorities

The priority for fixing vulnerabilities is determined by the following factors:

  • Technical impact

  • Exploit maturity (PoC, exploit, weaponized worm, or weaponized virus)

  • Threat level (whether server permissions are compromised)

  • Number of affected IP addresses (the scale of internet-facing affected IPs determines how much attention the vulnerability receives from attackers)

The vulnerability urgency scoring model provided by Security Center can assess how urgently each vulnerability needs to be fixed, helping you determine fix priorities. For more information about this model, see Overview.

Vulnerability fix decision plan

  1. When multiple vulnerabilities are detected on your assets and you are unsure which ones to fix first, go to the Vulnerabilities page and turn on the Show Only Exploitable Vulnerabilities switch to filter for vulnerabilities with higher fix priority.

    The real-risk vulnerability model of Security Center evaluates vulnerabilities based on the Alibaba Cloud vulnerability scoring system, time factors, environment factors, and asset importance factors. Combined with whether vulnerabilities can be exploited in real-world attack scenarios (PoC, EXP) and their severity, it helps automatically filter out vulnerabilities that pose real security risks. Enabling this feature helps enterprises improve the efficiency of fixing vulnerabilities that can be exploited by attackers.

  2. For different vulnerability types, we recommend that you prioritize fixing Unhandled Urgent Vulnerability and Web-CMS Vulnerabilities. These two types are confirmed as high-risk vulnerabilities by Alibaba Cloud security engineers. After addressing them, proceed to fix application vulnerabilities, Windows system vulnerabilities, and Linux software vulnerabilities.

  3. Determine whether a vulnerability needs to be fixed first based on your actual business requirements, server usage, and the potential impact that the fix may cause.

Vulnerability fix process

To ensure that target servers run properly during the vulnerability fix process and reduce the risk of exceptions, we recommend that you follow this process:

  1. Scan for vulnerabilities.

    1. Log on to the Security Center console.In the left navigation pane, choose Risk Governance > Vulnerabilities. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

    2. In the upper-right corner of the Vulnerabilities page, click Vulnerability Settings.

    3. In the Vulnerability Settings panel, check the vulnerability management settings to ensure that the scan scope covers all types of vulnerabilities across all servers. For more information, see Vulnerability scanning.

    4. Return to the Vulnerabilities page and click Quick Scan.

    Check the vulnerability status of all servers under the current account to ensure that the detected vulnerability information is up to date.

  2. Pre-fix testing.

    Note

    Before fixing vulnerabilities, deploy the relevant patches for the vulnerabilities to be fixed in a test environment. Test the patches for compatibility and security, and write a vulnerability fix test report after testing is complete. The test report should include the fix results, fix duration, patch compatibility, and potential impact of the fix.

  3. Back up server data.

    Note

    To avoid unforeseen consequences, before you start fixing vulnerabilities, use a backup and recovery system to back up the data of the servers to be fixed. For example, use the snapshot feature of ECS to back up the data of the target ECS instances. When fixing Windows system vulnerabilities and Linux software vulnerabilities, you can use the automatic snapshot creation and fix feature. For emergency vulnerabilities and application vulnerabilities, you need to go to the ECS console to create snapshots. We recommend that you export the list of ECS instances with vulnerabilities and use the automatic snapshot feature to back up data. For more information, see Automatic snapshot policy.

  4. Fix vulnerabilities.

    Note

    When deploying vulnerability fix patches and executing fix operations on target servers, at least two operators must be present: one to perform the operations and one to record them, to prevent misoperations.

  5. Post-fix verification.

    Note

    Verify that the vulnerabilities on the target server system have been fixed and that no exceptions have occurred on the target server.

Vulnerability fix notes

Emergency vulnerabilities, application vulnerabilities

Security Center supports only detecting emergency vulnerabilities and application vulnerabilities and providing fix suggestions. It does not support one-click fixes. You must log on to the affected servers and manually fix the vulnerabilities based on the fix suggestions provided in the vulnerability details.

Note
  • Because vulnerability fix testing in Security Center cannot cover all system environments, patch fixes still carry certain risks. To prevent unforeseen consequences, we recommend that you create snapshots through the ECS console and build your own test environment to thoroughly test the fix plan before applying fixes. For ECS instances detected with emergency or application vulnerabilities, you can create snapshots in the ECS console to back up data. We recommend that you export the list of all ECS instances with vulnerabilities and then use automatic snapshot policies to create snapshots. For more information, see Automatic snapshot policy.

  • For vulnerabilities that cannot be fixed due to business impact or the absence of a released security version, we recommend that you use the temporary mitigation measures provided by the official vendor to defend against attacks.

  • For vulnerabilities that do not affect your business and for which a secure version is available, we recommend that you upgrade the software to the secure version.

Linux software vulnerabilities, Windows system vulnerabilities

Security Center supports automatically detecting and one-click fixing of Linux software vulnerabilities and Windows system vulnerabilities. We recommend that you handle the corresponding vulnerabilities on the vulnerability details page. For more information about fixing vulnerabilities, see Manage vulnerabilities.

When multiple Linux software vulnerabilities exist on your assets, you can use the batch fix feature. Only Linux software vulnerabilities support batch fixing. The batch fix feature automatically identifies the assets corresponding to the selected vulnerability advisories and fixes the selected vulnerabilities in these assets. The following steps describe how to batch fix Linux software vulnerabilities.

  1. Log on to the Security Center console.In the left navigation pane, choose Risk Governance > Vulnerabilities. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  2. On the Linux Software Vulnerability tab of the Vulnerabilities page, select the vulnerabilities to batch fix and click Batch Fix.

    Note

    When batch fixing vulnerabilities, we recommend that you fix no more than 100 vulnerabilities at a time for performance reasons. If you need to fix more than 100 vulnerabilities, you can create snapshots and fix them in batches.

  3. In the Batch Fix dialog box, view the list of assets that Security Center has identified as needing vulnerability fixes. Select Automatically Create Snapshot and Fix Risk or Skip Snapshot and Fix, and click Fix Now.

If batch fix fails, check whether the server has a stable network connection and whether the disk space is full. For more information, see Manage vulnerabilities.

Web-CMS vulnerabilities

Security Center supports detecting and one-click fixing of Web-CMS vulnerabilities. The Web-CMS vulnerability detection feature monitors website directories and identifies vulnerabilities in common website builders. The procedure for fixing Web-CMS vulnerabilities is similar to that for Linux software vulnerabilities. For more information, see Manage vulnerabilities.