Help Center/ Host Security Service/ FAQs/ Vulnerability Management/ What Do I Do If Vulnerability Fix Failed?
Updated on 2024-09-25 GMT+08:00

What Do I Do If Vulnerability Fix Failed?

If Linux or Windows vulnerabilities failed to be fixed on the HSS console, rectify the fault by following the instructions provided in this section.

Viewing the Cause of a Vulnerability Fixing Failure

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane, choose Risk Management > Vulnerabilities.

    If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.

  4. In the upper right corner of the Vulnerabilities page, click Manage Task.
  5. Click the Fix Tasks tab to view the vulnerability fixing results.

    • : The number displayed next to this icon indicates the number of servers that are successfully fixed.
    • : The number displayed next to this icon indicates the number of servers that failed to be fixed.

  6. Click . In the Fix Failures dialog box, view the failure cause and description.

    You can handle the vulnerability fixing failures based on the failure causes. For details, see Linux Vulnerability Fixing Failure Causes and Solutions and Windows Vulnerability Fixing Failure Causes and Solutions.

Linux Vulnerability Fixing Failure Causes and Solutions

  • The kernel vulnerabilities on CCE, MRS, and BMS servers cannot be fixed. Fixing them may make some functions unavailable.
  • After the kernel vulnerability is fixed, you need to restart the server. If you do not restart the server, the vulnerability alarm still exists.
  • The following failure causes only contain some key fields. For details, see the information displayed on the HSS console.

Failure Cause

Description

Solution

timeout

Repair timed out.

Wait for 1 hour and try fixing the vulnerability again. If the fault persists, choose Service Tickets > Create Service Ticket in the upper right corner of the Huawei Cloud management console to contact technical support.

This agent version does not support vulnerability verification

The agent version is too early.

Upgrade the agent and try fixing the vulnerability again.

Agent status is not normal

The agent status is abnormal.

The agent is offline and the vulnerability cannot be fixed. Recover the agent status by referring to How Do I Fix an Abnormal Agent? and fix the vulnerability.

Error: software have multiple versions

A software version with vulnerabilities is not deleted.

  • If this problem occurs in common software, delete the packages of the earlier versions and check whether the problem persists.
    Run the following command to check whether an error is reported when an early version package is deleted:
    rpm -e --test XXX
    NOTE:

    XXX indicates the full software component name, which contains the version number. You can run the rpm -qa command to query the full component name.

    • If an error is reported during the deletion, there are dependencies on the software package, and the package cannot be deleted. You are advised to ignore this vulnerability.
    • If no error is reported during the deletion, run the following command to delete the early version package:
      rpm -e XXX
  • If this problem occurs on kernel-related components such as Kernel and Glibc, deleting the early version package may cause OS problems. In this case, you are advised to ignore this vulnerability.

No package marked for update

The upgrade package of a later version is not found.

The failure cause indicates that the software has been upgraded to the latest version supported by the current image source, but the vulnerability still exists.

NOTE:
  • CentOS 7, CentOS 8, Debian 9 and 10, Windows 2012 R2, and Ubuntu 14.04 and earlier have reached EOL and cannot be fixed because no official patches are available. You are advised to change to the OSs in active support.
  • Ubuntu 15.04 to Ubuntu 22.04 do not support free patch updates. You need to subscribe to Ubuntu Pro to install upgrade packages. If Ubuntu Pro is not configured, vulnerabilities will fail to be fixed.
  • Possible cause 1: The image source is incorrectly configured.

    Update the image source and fix the vulnerability again. For more information, see "Image Source Management".

  • Possible cause 2: Kernel vulnerabilities cannot be fixed on the server.

    Fixing kernel vulnerabilities may make some functions unavailable. To fix a kernel vulnerability, choose Service Tickets > Create Service Ticket in the upper right corner of the Huawei Cloud management console to contact technical support.

    NOTICE:

    The kernel vulnerabilities on CCE, MRS, and BMS servers cannot be fixed. Fixing them may make some functions unavailable. Do not upgrade kernel components.

Error: software info not update

Error: kernel is not update

is already the newest version

Dependencies resolved. Nothing to do. Complete!

Error: Failed to download metadata for repo

Failed to connect to the yum source.

The server cannot connect to the image source. Check whether the server can properly connect to the external network.

One of the configured repositories failed

Errors during downloading metadata for repository

Error: Cannot retrieve repository metadata

Failed connect to

E: Failed to fetch

Error: kernel is not update

Kernel not updated.

  • Possible cause 1: The server is not restarted after the vulnerability is fixed.

    Solution: Restart the server. After a kernel vulnerability is fixed, you need to restart the server for the fix to take effect. Otherwise, the system will still report the vulnerability in the next scan.

  • Possible cause 2: Kernel vulnerabilities cannot be fixed on the server.

    Fixing kernel vulnerabilities may make some functions unavailable. To fix a kernel vulnerability, choose Service Tickets > Create Service Ticket in the upper right corner of the Huawei Cloud management console to contact technical support.

Error: kernel info not update

Please install a package which provides this module, or verify that the module is installed correctly

The yum command is unavailable.

Rectify the command unavailability issue based on the suggestions provided in the failure cause.

command not found

Error downloading packages

The upgrade package fails to be downloaded.

Check whether the server can properly connect to the Internet.
  • If yes, the image source is incorrectly configured. Update the image source and fix the vulnerability again.
  • If no, ensure that your server can connect to the Internet and fix the vulnerability again.

There are no enabled repositories

No available sources configured.

This fault occurs because the image source is incorrectly configured. Update the image source and fix the vulnerability again.

Error: Cannot find a valid baseurl for repo

There are no enabled repos

dpkg was interrupted

The dpkg command is unavailable.

Rectify the command unavailability issue based on the suggestions provided in the failure cause.

Windows Vulnerability Fixing Failure Causes and Solutions

  • After a Windows patch is installed, you need to restart the server, or the following problems may occur:
    • The patch does not take effect.
    • When you install other system patches or software, the blue screen of death (BSOD) or startup failure may occur.
  • The following failure causes only contain some key fields. For details, see the information displayed on the HSS console.

Failure Cause

Description

Solution

timeout

Repair timed out.

Wait for 1 hour and try fixing the vulnerability again. If the fault persists, choose Service Tickets > Create Service Ticket in the upper right corner of the Huawei Cloud management console to contact technical support.

Agent status is not normal

The agent status is abnormal.

The agent is offline and the vulnerability cannot be fixed. Recover the agent status by referring to How Do I Fix an Abnormal Agent? and fix the vulnerability.

This agent version does not support vulnerability verification

The agent version is too early.

Upgrade the agent and try fixing the vulnerability again.

Search patch failed: Search failed, errmsg(Unknown error 0x8024401C)

Failed to find the patch.

The fault occurs because the Windows Update component on the server is faulty. Perform the following operations to recover the Windows Update component and fix the vulnerability again:

  1. Open the command-line interface (CLI).
  2. Run the following commands one by one:
    net stop wuauserv
    reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    net start wuauserv

Search patch failed: Search failed, errmsg(Unknown error 0x8024402C)

Failed to find the patch.

The fault occurs because the Windows Update client cannot connect to the Windows Update server. Perform the following operations to recover the Windows Update component and fix the vulnerability again:

  1. Check whether the network connection of the server is normal.

    Ensure your server can connect to the Internet.

  2. Clear the Windows Update cache.
    1. Open Control Panel.
    2. Click System and Security. Under Administrative Tools, click Services.
    3. Right-click Windows Update and choose Stop.
    4. Open the C:\Windows folder. Delete the SoftwareDistribution file.
    5. Right-click the Windows Update service and choose Start.
  3. Run the following commands to reset the Windows Update component:
    net stop wuauserv
    net stop cryptSvc
    net stop bits
    net stop msiserver
    ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
    ren C:\Windows\System32\catroot2 catroot2.old
    net start wuauserv
    net start cryptSvc
    net start bits
    net start msiserver

Search patch failed: Search failed, errmsg(Unknown error 0x80070422)

Failed to find the patch.

The fault occurs because Windows Update is disabled on the server. Perform the following operations to start the service and fix the vulnerability again:

  1. Open Control Panel.
  2. Click System and Security. Under Administrative Tools, click Services.
  3. Double-click the Windows Update service.
  4. In the Windows Update Properties window, set Startup type to Automatic.
  5. Click OK.

Search patch failed: Get updates count is 0

Failed to find the patch.

The fault occurs because the Windows Update of the server is faulty. Perform the following steps to locate the fault:

  1. Check whether the network connection of the server is normal.
    • If yes, go to 2.
    • If no, fix the vulnerability again after the server network connection becomes normal.
  2. Open Windows Update and check whether the patch to be installed is available.
    • If yes, install the patch and restart the server.
    • If no, check whether the failure cause contains an error code.

      If it contains an error code, search for the corresponding solution on the Microsoft official website based on the error code.

      If it does not contain any error code, reset Windows Update by referring to Reset Windows Update.

Search patch failed: Search failed,errmsg

Failed to find the patch.

Not install security patch

Failed to find the patch.

Add patch to update collection failed: Update collection count is 0

Failed to find the patch.

Not find patch

No patches found.

Add patch to update collection failed

Failed to install the patch.

Com init failed

Failed to call Windows Update.

Download patch failed

Failed to download the patch.

  • Possible cause 1: The Windows Update configuration is incorrect. This problem may occur only in Windows 2008 and 2012.

    Open Control Panel. Click Windows Update and click Change settings. Configure the following parameters:

    • Important updates: Select Download updates but let me choose when to install them.
    • Recommended update: Select this check box.
    • Microsoft Update: Deselect this check box.

    After the configuration is complete, open Windows Update and click Check for Update. After the patches to be installed are found, install them and restart the server.

  • Possible cause 2: The server has not been patched for a long time. As a result, Windows Update is abnormal.
    1. Log in to the server and open Windows Update.
    2. Click Check for Update.
    3. After the patches to be installed are found, install them and restart the server.
    NOTE:

    Some patches probably cannot be installed at a time. Check for updates after every patch installation until all patches are installed.