Using HSS to Scan and Fix Vulnerabilities

Scenario

HSS can scan for Linux, Windows, Web-CMS, application, and emergency vulnerabilities and provide multiple vulnerability handling methods, helping you comprehensively understand and fix vulnerabilities in your assets in a timely manner and avoid potential risks.

You can discover and fix vulnerabilities using HSS.

Prerequisites

HSS Professional, Enterprise, Premium, Web Tamper Protection, or Container Edition has been enabled for the server. For details, see HSS Access Overview.

Determining the Urgency for Fixing the Vulnerability

If multiple vulnerabilities are detected in your assets, you can use the following methods to determine the urgency of the vulnerabilities and fix the vulnerabilities that have significant impact on your server first.

• Determined by vulnerability fixing priority

  You can fix vulnerabilities based on their priorities. Generally, vulnerabilities whose Priority is Critical must be fixed immediately.

  The vulnerability fix priority is weighted based on the CVSS score, release time, and the importance of the assets affected by the vulnerability. It reflects the urgency of the fix.

  

  By default, the importance of an asset is General. You can also change it. For details, see Servers Importance Management .

  Vulnerabilities are classified into four priority levels: critical, high, medium, and low. You can refer to the priorities to fix the vulnerabilities that have significant impact on your server first.

  • Critical: This vulnerability must be fixed immediately. Attackers may exploit this vulnerability to cause great damage to the server.
  • High: This vulnerability must be fixed as soon as possible. Attackers may exploit this vulnerability to damage the server.
  • Medium: You are advised to fix the vulnerability to enhance your server security.
  • Low: This vulnerability has a small threat to server security. You can choose to fix or ignore it.
• Determined based on actual business conditions.

  You can view vulnerability details and determine whether to fix vulnerabilities as soon as possible based on actual services and affected servers.

Scanning for and Fixing Vulnerabilities

1. Scan for vulnerabilities.
   1. Log in to the management console.
   2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
   3. In the navigation pane, Choose Risk Management > Vulnerabilities.
   4. In the upper right corner of the Vulnerabilities page, click Scan.
   5. In the displayed Scan for Vulnerability dialog box, select all Type and set Scan to All servers to ensure that all possible vulnerabilities of all servers can be scanned.
      Figure 1 Setting manual scan parameters
      
   6. In the upper right corner of the Vulnerabilities page, click Manage Task. On the Scan Tasks tab page, confirm that the manual scan task has been completed and ensure that the detected vulnerability information is updated immediately.

2. Fix vulnerabilities.
   

   • Vulnerability fixing operations cannot be rolled back. If a vulnerability fails to be fixed, services will probably be interrupted, and incompatibility issues will probably occur in middleware or upper layer applications. To prevent unexpected consequences, you are advised to use CBR to back up ECSs. For details, see Purchasing a Server Backup Vault. Then, use idle servers to simulate the production environment and test-fix the vulnerability. If the test-fix succeeds, fix the vulnerability on servers running in the production environment.
   • Servers need to access the Internet and use external image sources to fix vulnerabilities.
     • Linux OS: If your servers cannot access the Internet, or the external image sources cannot provide stable services, you can use the image source provided by Huawei Cloud to fix vulnerabilities. Before fixing vulnerabilities online, configure the Huawei Cloud image sources that match your server OSs. For details, see Image Source Management.
     • Windows OS: If your servers cannot access the Internet, ensure you have set up a patch server.
   1. Filter the vulnerabilities to be fixed.
      • Click the number next to Critical Vulnerabilities to filter the critical vulnerabilities.
      • In the scanned vulnerability list, filter out the vulnerabilities with high priorities. For example, in the Vulnerability view tab, set priority to Critical and High. In the Server view tab, set risk level to High and Medium.
   2. Fix the vulnerabilities.
      • Auto fix: Only Linux and Windows vulnerabilities can be automatically fixed. The following example describes how to fix a Linux vulnerability.
        1. On the Vulnerabilities page, click Fix in the Operation column of the target vulnerability.
        2. In the displayed dialog box, confirm the number of vulnerabilities to be fixed and the number of affected assets, and click to enable backup.
           Figure 2 Confirming vulnerabilities and creating backups
           
        3. Click Select Server to Scan. In the Create Backup dialog box, set the Backup Name and click OK.
        4. In the Fix dialog box displayed, select I am aware that if I have not backed up my ECSs before fixing vulnerabilities, services may be interrupted and fail to be rolled back during maintenance. and click Auto Fix.
        5. Click the vulnerability name. On the details page, click the Handling History tab and view the vulnerability fixing status in the Status column of the target vulnerability.
           • Fixed indicates that the vulnerability has been successfully fixed. For details, see Vulnerability fix statuses.
           • Failed indicates that the vulnerability fails to be fixed. The possible cause is that the vulnerability does not exist or has been changed. You can view the cause of the vulnerability fixing failure and fix the vulnerability by referring to the methods provided by HSS. For details, see What Do I Do If Vulnerability Fix Failed?
      • Manually handling: Web-CMS vulnerabilities, application vulnerabilities, and emergency vulnerabilities cannot be automatically fixed. You need to manually fix them by referring to the methods.
        1. On the Vulnerabilities page, click the name of the target vulnerability. On the details page, view the fixing suggestions.
        2. Select a solution to fix the vulnerability based on the service requirements.
           Method 1: Create a VM to fix the vulnerability.

           1. Create an image for the ECS to be fixed. For details, see Creating a Full-ECS Image Using an ECS.
           2. Use the image to create an ECS. For details, see Creating ECSs Using an Image.
           3. Fix the vulnerability on the new ECS and verify the result.
           4. Switch services over to the new ECS and verify they are stably running.
           5. Release the original ECS. If a fault occurs after the service switchover and cannot be rectified, you can switch services back to the original ECS.
           Method 2: Fix the vulnerability on the target server.

           1. Create a backup for the ECS whose vulnerabilities need to be fixed. For details, see Creating a CSBS Backup.
           2. Fix vulnerabilities on the current server.
           3. If services become unavailable after the vulnerability is fixed and cannot be recovered in a timely manner, use the backup to restore the server. For details, see Using Backups to Restore Servers.

           

           • Use method 1 if you are fixing a vulnerability for the first time and cannot estimate impact on services. You are advised to choose the pay-per-use billing mode for the newly created ECS. After the service switchover, you can change the billing mode to yearly/monthly. In this way, you can release the ECS at any time to save costs if the vulnerability fails to be fixed.
           • Use method 2 if you have fixed the vulnerability on similar servers before.
      • Ignoring a vulnerability and whitelisting a vulnerability

        If a vulnerability is harmless, you can ignore it. If a vulnerability alarm is ignored but is triggered again in the next vulnerability scan, HSS will still report the alarm to you. If a vulnerability does not affect services, you can add it to the whitelist. After a vulnerability is added to the whitelist, the detected vulnerability will be ignored and will not be reported. In addition, the vulnerability will not be scanned. For details, see Ignoring a Vulnerability and Whitelisting a Vulnerability.

3. Restart the server.

   After you fixed Windows OS vulnerabilities or Linux kernel vulnerabilities, you need to restart servers for the fix to take effect, or HSS will continue to warn you of these vulnerabilities. For other types of vulnerabilities, you do not need to restart servers after fixing them.

4. Verify the vulnerability fix.

   After you manually fix vulnerabilities, you are advised to verify the fixing result. For details, see Verifying the Vulnerability Fix.

Related Operations

• HSS allows you to view historical vulnerability handling records. You can filter the handled vulnerabilities. Click the Vulnerability Name. On the displayed page, click Handling History tab to view the handling history. For details, see Viewing Vulnerability Handling History.
• HSS allows you to export the vulnerability list. For details, see Exporting the Vulnerability List.