Fixing Vulnerabilities and Verifying the Result
- Linux or Windows vulnerabilities
You can select servers and click Fix to let HSS fix the vulnerabilities for you, or manually fix them based on the suggestions provided.
Then, you can use the verification function to quickly check whether the vulnerability has been fixed.
NoticeTo fix Windows vulnerabilities, you need to connect to the Internet.
- Web-CMS vulnerabilities
Manually fix them based on the suggestions provided on the page.
Precautions
- Vulnerability fixing operations cannot be rolled back. If a vulnerability fails to be fixed, services will probably be interrupted, and incompatibility issues will probably occur in middleware or upper layer applications. To avoid unrecoverable errors, you are advised to use Cloud Server Backup Service (CSBS) to back up your servers. Then, use idle servers to simulate the production environment and test-fix the vulnerability. If the test-fix succeeds, fix the vulnerability on servers running in the production environment.
- Servers need to access the Internet and use external image sources to fix vulnerabilities.
Urgency
- High: This vulnerability must be fixed as soon as possible. Attackers may exploit this vulnerability to damage the server.
- Medium: You are advised to fix the vulnerability to enhance your server security.
- Safe for now: This vulnerability has a small threat to server security. You can choose to fix or ignore it.
Vulnerability Display
- Vulnerabilities that failed to be fixed or have not been handled are always displayed in the vulnerability list.
- Fixed vulnerabilities will remain in the list within 30 days after it was fixed.
Fixing Vulnerabilities in One Click
You can fix vulnerabilities in Linux or Windows OS in one click on the console.
- Log in to the management console.
- In the upper left corner of the page, select a region, click
, and choose . - On the Vulnerabilities page, click Fix. The Affected Servers tab is displayed, as shown in Figure 1.
Figure 1 Fixing vulnerabilities
- Select the affected servers and click Fix.
Figure 2 One-click vulnerability fix
- In the dialog box that is displayed, select I am aware that if I have not backed up my ECSs before fixing vulnerabilities, services may be interrupted and fail to be rolled back during maintenance.
- Click OK to fix the vulnerability in one-click mode. The vulnerability status will change to Fixing.
If a vulnerability is fixed, its status will change to Repaired. If it fails to be fixed, its status will change to Failed.
NoteRestart the system after you fixed a Windows OS or Linux kernel vulnerability, or HSS will probably continue to warn you of this vulnerability.
Manually Fixing Software Vulnerabilities
Fix the detected vulnerability based on the fix suggestions in the Solution column. For details about the vulnerability fix commands, see Table 1.
- Fix the vulnerabilities in sequence based on the suggestions.
- If multiple software packages on the same server have the same vulnerability, you only need to fix the vulnerability once.
Restart the system after you fixed a Windows OS or Linux kernel vulnerability, or HSS will probably continue to warn you of this vulnerability.
OS | Command |
|---|---|
CentOS/Fedora/EulerOS/Red Hat/Oracle | yum update Software name |
Debian/Ubuntu | apt-get update && apt-get install Software name --only-upgrade |
Gentoo/SUSE | See the vulnerability fix suggestions for details. |
Vulnerability fixing may affect service stability. You are advised to use either of the following methods to avoid such impact:
Method 1: Create a VM to fix the vulnerability.
- Create an image for the ECS to be fixed.
- Use the image to create an ECS.
- Fix the vulnerability on the new ECS and verify the result.
- Switch services over to the new ECS and verify they are stably running.
- Release the original ECS. If a fault occurs after the service switchover and cannot be rectified, you can switch services back to the original ECS.
Method 2: Fix the vulnerability on the target server.
- Create a backup for the ECS to be fixed.
- Fix vulnerabilities on the current server.
- If services become unavailable after the vulnerability is fixed and cannot be recovered in a timely manner, use the backup to restore the server.
- Use method 1 if you are fixing a vulnerability for the first time and cannot estimate impact on services. In this way, you can release the ECS at any time to save costs if the vulnerability fails to be fixed.
- Use method 2 if you have fixed the vulnerability on similar servers before.
Ignoring Vulnerabilities
Some vulnerabilities are risky only in specific conditions. For example, if a vulnerability can be exploited only through an open port, but the target server does not open any ports, the vulnerability will not harm the server. Such vulnerabilities can be ignored.
HSS will not generate alarms for ignored vulnerabilities.
Verifying Vulnerability Fix
After a vulnerability is fixed, you are advised to verify it immediately.
Manual verification
- Click Verify on the vulnerability details page.
- Ensure the software has been upgraded to the latest version. The following table provides the commands to check the software upgrade result.
Table 2 Verification commands OS
Verification Command
CentOS/Fedora/EulerOS/Red Hat/Oracle
rpm -qa | grep Software_name
Debian/Ubuntu
dpkg -l | grep Software_name
Gentoo
emerge --search Software_name
SUSE
zypper search -dC --match-words Software_name
- Manually check for vulnerabilities and view the vulnerability fixing results.
Automatic verification
HSS performs a full check every early morning. If you do not perform a manual verification, you can view the system check result on the next day after you fix the vulnerability.
- Precautions
- Urgency
- Vulnerability Display
- Fixing Vulnerabilities in One Click
- Manually Fixing Software Vulnerabilities
- Ignoring Vulnerabilities
- Verifying Vulnerability Fix