What Do I Do If Vulnerability Fix Failed?

If Linux or Windows vulnerabilities failed to be fixed on the HSS console, rectify the fault by following the instructions provided in this section.

Viewing the Cause of a Vulnerability Fixing Failure

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
In the navigation pane, choose Risk Management > Vulnerabilities.

If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
In the upper right corner of the Vulnerabilities page, click Manage Task.
Click the Fix Tasks tab to view the vulnerability fixing results.
In the Operation column of a vulnerability fix task, click View Failure Cause to view its Failure Cause and Description.

You can handle the vulnerability fixing failures based on the failure causes. For details, see Linux Vulnerability Fixing Failure Causes and Solutions and Windows Vulnerability Fixing Failure Causes and Solutions.

Linux Vulnerability Fixing Failure Causes and Solutions

The kernel vulnerabilities on CCE, MRS, and BMS servers cannot be fixed. Fixing them may make some functions unavailable.
After the kernel vulnerability is fixed, you need to restart the server. If you do not restart the server, the vulnerability alarm still exists.
The following failure causes only contain some key fields. For details, see the information displayed on the HSS console.

Failure Cause	Description	Solution
timeout	Repair timed out.	Wait for 1 hour and try fixing the vulnerability again. If the fault persists, choose Service Tickets > Create Service Ticket in the upper right corner of the Huawei Cloud management console to contact technical support.
This agent version does not support vulnerability verification	The agent version is too early.	Upgrade the agent and try fixing the vulnerability again.
Agent status is not normal	The agent status is abnormal.	The agent is offline and the vulnerability cannot be fixed. Recover the agent status by referring to How Do I Fix an Abnormal Agent? and fix the vulnerability.
Error: software have multiple versions	A software version with vulnerabilities is not deleted.	If this problem occurs in common software, delete the packages of the earlier versions and check whether the problem persists. Run the following command to check whether an error is reported when an early version package is deleted: rpm -e --test XXX NOTE: XXX indicates the full software component name, which contains the version number. You can run the rpm -qa command to query the full component name. If an error is reported during the deletion, there are dependencies on the software package, and the package cannot be deleted. You are advised to ignore this vulnerability. If no error is reported during the deletion, run the following command to delete the early version package: rpm -e XXX If this problem occurs on kernel-related components such as Kernel and Glibc, deleting the early version package may cause OS problems. In this case, you are advised to ignore this vulnerability.
No package marked for update	The upgrade package of a later version is not found.	The failure cause indicates that the software has been upgraded to the latest version supported by the current image source, but the vulnerability still exists. NOTE: CentOS 7, CentOS 8, Debian 9 and 10, Windows 2012 R2, and Ubuntu 14.04 and earlier have reached EOL and cannot be fixed because no official patches are available. You are advised to change to the OSs in active support. Ubuntu 16.04 to Ubuntu 22.04 do not support certain free patch updates. You need to subscribe to Ubuntu Pro to install upgrade packages. If Ubuntu Pro is not configured, vulnerabilities will fail to be fixed. For details about the vulnerabilities that can be fixed only after you subscribe to Ubuntu Pro, see Do I Need to Subscribe to Ubuntu Pro to Fix Ubuntu Vulnerabilities?. Possible cause 1: The image source is incorrectly configured. Update the image source and fix the vulnerability again. For more information, see Image Source Management. Possible cause 2: Kernel vulnerabilities cannot be fixed on the server. Fixing kernel vulnerabilities may make some functions unavailable. To fix a kernel vulnerability, choose Service Tickets > Create Service Ticket in the upper right corner of the Huawei Cloud management console to contact technical support. NOTICE: The kernel vulnerabilities on CCE, MRS, and BMS servers cannot be fixed. Fixing them may make some functions unavailable. Do not upgrade kernel components.
Error: software info not update
Error: kernel is not update
is already the newest version
Dependencies resolved. Nothing to do. Complete!
Error: Failed to download metadata for repo	Failed to connect to the yum source.	Check whether your server is in one of the following regions: CN North-Beijing1, CN North-Beijing4, CN East-Shanghai1, CN East-Shanghai2, CN South-Guangzhou, or CN-Hong Kong. If the server is in one of these regions and cannot connect to the Internet for some reason, configure the image source provided by Huawei Cloud. For details, see How Can I Use an Automated Tool to Configure a Huawei Cloud Image Source? If the server is not in any of these regions, ensure the server can access the Internet. Otherwise, the server cannot connect to the official image source or other sources.
One of the configured repositories failed
Errors during downloading metadata for repository
Error: Cannot retrieve repository metadata
Failed connect to
E: Failed to fetch
Error: kernel is not update	Kernel not updated.	Possible cause 1: The server is not restarted after the vulnerability is fixed. Solution: Restart the server. After a kernel vulnerability is fixed, you need to restart the server for the fix to take effect. Otherwise, the system will still report the vulnerability in the next scan. Possible cause 2: Kernel vulnerabilities cannot be fixed on the server. Fixing kernel vulnerabilities may make some functions unavailable. To fix a kernel vulnerability, choose Service Tickets > Create Service Ticket in the upper right corner of the Huawei Cloud management console to contact technical support.
Error: kernel info not update	Kernel not updated.
Please install a package which provides this module, or verify that the module is installed correctly	The yum command is unavailable.	Rectify the command unavailability issue based on the suggestions provided in the failure cause.
command not found	The yum command is unavailable.
Error downloading packages	The upgrade package fails to be downloaded.	Check whether the server can properly connect to the Internet. If yes, the image source is incorrectly configured. Update the image source and fix the vulnerability again. For more information, see Configuring the Image Source. If no, ensure that your server can connect to the Internet and fix the vulnerability again.
There are no enabled repositories	No available sources are configured.	This fault occurs because the image source is incorrectly configured. Update the image source and fix the vulnerability again. For more information, see Configuring the Image Source.
Error: Cannot find a valid baseurl for repo
There are no enabled repos
dpkg was interrupted	The dpkg command is unavailable.	Rectify the command unavailability issue based on the suggestions provided in the failure cause.

Windows Vulnerability Fixing Failure Causes and Solutions

After a Windows patch is installed, you need to restart the server, or the following problems may occur:
- The patch does not take effect.
- When you install other system patches or software, the blue screen of death (BSOD) or startup failure may occur.
The following failure causes only contain some key fields. For details, see the information displayed on the HSS console.

Failure Cause	Description	Solution
timeout	Repair timed out.	Wait for 1 hour and try fixing the vulnerability again. If the fault persists, choose Service Tickets > Create Service Ticket in the upper right corner of the Huawei Cloud management console to contact technical support.
Agent status is not normal	The agent status is abnormal.	The agent is offline and the vulnerability cannot be fixed. Recover the agent status by referring to How Do I Fix an Abnormal Agent? and fix the vulnerability.
This agent version does not support vulnerability verification	The agent version is too early.	Upgrade the agent and try fixing the vulnerability again.
Search patch failed: Search failed, errmsg(Unknown error 0x8024401C)	Failed to find the patch.	The fault occurs because the Windows Update component on the server is faulty. Perform the following operations to recover the Windows Update component and fix the vulnerability again: Open the command-line interface (CLI). Run the following commands one by one: net stop wuauserv reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate net start wuauserv
Search patch failed: Search failed, errmsg(Unknown error 0x8024402C)	Failed to find the patch.	The fault occurs because the Windows Update client cannot connect to the Windows Update server. Perform the following operations to recover the Windows Update component and fix the vulnerability again: Check whether the network connection of the server is normal. Ensure your server can connect to the Internet. Clear the Windows Update cache. Open Control Panel. Click System and Security. Under Administrative Tools, click Services. Right-click Windows Update and choose Stop. Open the C:\Windows folder. Delete the SoftwareDistribution file. Right-click the Windows Update service and choose Start. Run the following commands to reset the Windows Update component: net stop wuauserv net stop cryptSvc net stop bits net stop msiserver ren C:\Windows\SoftwareDistribution SoftwareDistribution.old ren C:\Windows\System32\catroot2 catroot2.old net start wuauserv net start cryptSvc net start bits net start msiserver
Search patch failed: Search failed, errmsg(Unknown error 0x80070422)	Failed to find the patch.	The fault occurs because Windows Update is disabled on the server. Perform the following operations to start the service and fix the vulnerability again: Open Control Panel. Click System and Security. Under Administrative Tools, click Services. Double-click the Windows Update service. In the Windows Update Properties window, set Startup type to Automatic. Click OK.
Search patch failed: Get updates count is 0	Failed to find the patch.	The fault occurs because the Windows Update of the server is faulty. Perform the following steps to locate the fault: Check whether the network connection of the server is normal. If yes, go to 2. If no, fix the vulnerability again after the server network connection becomes normal. Open Windows Update and check whether the patch to be installed is available. If yes, install the patch and restart the server. If no, check whether the failure cause contains an error code. If it contains an error code, search for the corresponding solution on the Microsoft official website based on the error code. If it does not contain any error code, reset Windows Update by referring to Reset Windows Update.
Search patch failed: Search failed,errmsg	Failed to find the patch.
Not install security patch	Failed to find the patch.
Add patch to update collection failed: Update collection count is 0	Failed to find the patch.
Not find patch	No patches found.
Add patch to update collection failed	Failed to install the patch.
Com init failed	Failed to call Windows Update.
Download patch failed	Failed to download the patch.	Possible cause 1: The Windows Update configuration is incorrect. This problem may occur only in Windows 2008 and 2012. Open Control Panel. Click Windows Update and click Change settings. Configure the following parameters: Important updates: Select Download updates but let me choose when to install them. Recommended update: Select this check box. Microsoft Update: Deselect this check box. After the configuration is complete, open Windows Update and click Check for Update. After the patches to be installed are found, install them and restart the server. Possible cause 2: The server has not been patched for a long time. As a result, Windows Update is abnormal. Log in to the server and open Windows Update. Click Check for Update. After the patches to be installed are found, install them and restart the server. NOTE: Some patches probably cannot be installed at a time. Check for updates after every patch installation until all patches are installed.

Parent topic: Vulnerability Management

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot