Fixing Vulnerabilities

Scenario

This section describes how to fix vulnerabilities.

The fixing method varies depending on the vulnerability type. Select a method based on the vulnerability type. The recommended fixing methods are as follows.

**Table 1** Recommended fixing methods
Vulnerability Type	Recommended Fixing Method
Linux vulnerabilities	Use either of the following methods: Use the repair function on the SecMaster console to fix the vulnerability. Manually fix the vulnerability based on the suggestions provided on the console. Then, you can use the verification function to quickly check whether the vulnerability has been fixed.
Windows vulnerabilities
Web-CMS vulnerabilities	Manually fix the vulnerability based on the suggestions provided on the console.
Application vulnerabilities

Vulnerability fixing operations cannot be rolled back. If a vulnerability fails to be fixed, services will probably be interrupted, and incompatibility issues will probably occur in middleware or upper-layer applications. To avoid unrecoverable errors, you are advised to use Cloud Server Backup Service (CSBS) to back up your servers. Then, use idle servers to simulate the production environment and test-fix the vulnerability. If the test-fix succeeds, fix the vulnerability on servers running in the production environment.
Servers need to access the Internet and external image sources are used to fix vulnerabilities. If your servers cannot access the Internet, or the external image sources cannot provide stable services, you can use the image sources to fix vulnerabilities.
Before fixing vulnerabilities online, configure the image sources that match your server OSs.

Fixing Vulnerabilities on the Console

Only Linux vulnerabilities and Windows vulnerabilities can be fixed using the repair function on the console.

Log in to the management console.
Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

Figure 1 Workspace management page
In the navigation pane, choose Risk Prevention > Vulnerabilities.

Figure 2 Accessing the vulnerability management page
On the displayed page, click Linux Vulnerabilities or Windows Vulnerabilities.
In the vulnerability list, click the name of the target vulnerability. The vulnerability details page is displayed.
On the Vulnerability Details page, click Affected Resources. In the resource list, locate the row that contains the target resource and click Repair in the Operation column.
To fix vulnerabilities in batches, select all the target vulnerabilities and click Batch Repair in the upper left corner above the list.
If a vulnerability is fixed, its status will change to Fixed. If it fails to be fixed, its status will change to Failed.

Restart the system after you fixed a Linux kernel vulnerability, or the system will probably continue to warn you of this vulnerability.

Manually Fixing Software Vulnerabilities

Vulnerability Fixing Commands

On the basic information page of vulnerabilities, you can fix a detected vulnerability based on the provided suggestions. For details about the vulnerability fixing commands, see Table 2.

Restart the system after you fixed a Windows or Linux kernel vulnerability, or the system will probably continue to warn you of this vulnerability.
Fix the vulnerabilities in sequence based on the suggestions.
If multiple software packages on the same server have the same vulnerability, you only need to fix the vulnerability once.

**Table 2** Vulnerability fix commands
OS	Fix Command
CentOS/Fedora/EulerOS/Red Hat/Oracle	yum update Software name
Debian/Ubuntu	apt-get update && apt-get install Software name --only-upgrade
Gentoo	See the vulnerability fix suggestions for details.

Vulnerability Fixing Methods
Vulnerability fixing may affect service stability. You are advised to use either of the following methods to avoid such impacts:
- Method 1: Create a VM to fix the vulnerability.
  1. Create an image for the ECS host whose vulnerability needs to be fixed. For details, see Creating a Full-ECS Image from an ECS.
  2. Use the image to create an ECS. For details, see Creating an ECS from an Image.
  3. Fix the vulnerability on the new ECS and verify the result.
  4. Switch services over to the new ECS and verify they are stably running.
  5. Release the original ECS. If a fault occurs after the service switchover and cannot be rectified, you can switch services back to the original ECS.
- Method 2: Fix the vulnerability on the current server.
  1. Create a backup for the ECS to be fixed.
  2. Fix vulnerabilities on the current server.
  3. If services become unavailable after the vulnerability is fixed and cannot be recovered in a timely manner, use the backup to restore the server.
- Use method 1 if you are fixing a vulnerability for the first time and cannot estimate the impact on services. You are advised use pay-per-use billing for newly created ECSs. After the service switchover, you can change the billing mode to yearly/monthly. In this way, you can release the ECSs at any time to save costs if the vulnerability fails to be fixed.
- Use method 2 if you have fixed the vulnerability on similar servers before.

Verifying Vulnerability Fix

After a vulnerability is fixed, you are advised to verify it immediately.

**Table 3** Verification
Method	Operation
Manual verification	Click Verify on the vulnerability details page. Run the following command to check the software upgrade result and ensure that the software has been upgraded to the latest version: CentOS, Fedora, EulerOS, Red Hat, and Oracle: rpm -qa \| grep Software name Debian and Ubuntu: dpkg -l \| grep Software name Gentoo: emerge --search Software name
Automatic verification	HSS performs a full scan every early morning. If you do not perform a manual verification, you can view the system check result on the next day after you fix the vulnerability.