Fixing Vulnerabilities and Verifying the Result
- Linux or Windows vulnerabilities
You can select servers and click Handle to fix the vulnerabilities, or manually fix them based on the suggestions provided.
Then, you can use the verification function to quickly check whether the vulnerability has been fixed.
To fix Windows vulnerabilities, you need to connect to the Internet.
- Web-CMS vulnerabilities
Manually fix them based on the suggestions provided on the page.
- Application vulnerabilities
Manually fix them based on the suggestions provided on the page.
- Vulnerability-related operations are not supported if your servers are not protected by HSS.
- The server Agent Status is Online, Server Status is Running, and Action is Protected.
- Vulnerability fixing operations cannot be rolled back. If a vulnerability fails to be fixed, services will probably be interrupted, and incompatibility issues will probably occur in middleware or upper layer applications. To avoid unrecoverable errors, you are advised to use Cloud Server Backup Service (CSBS) to back up your servers. For details, see Creating a CSBS Backup. Then, use idle servers to simulate the production environment and test-fix the vulnerability. If the test-fix succeeds, fix the vulnerability on servers running in the production environment.
- Servers need to access the Internet and use external image sources to fix vulnerabilities. If your servers cannot access the Internet, or the external image sources cannot provide stable services, you can use the image source provided by HUAWEI CLOUD to fix vulnerabilities.
Before fixing vulnerabilities online, configure the HUAWEI CLOUD image sources that match your server OSs. For details, see Image Source Management.
- High: This vulnerability must be fixed as soon as possible. Attackers may exploit this vulnerability to damage the server.
- Medium: You are advised to fix the vulnerability to enhance your server security.
- Safe for now: This vulnerability has a small threat to server security. You can choose to fix or ignore it.
- Vulnerabilities that failed to be fixed or have not been handled are always displayed in the vulnerability list.
- Fixed vulnerabilities will remain in the list within 30 days after it was fixed.
Fixing Vulnerabilities in One Click
You can fix vulnerabilities in Linux or Windows OS in one click on the console.
- Log in to the management console.
- In the upper left corner of the page, select a region, click , and choose .
Figure 1 Accessing HSS
- In the displayed dialog box, click Try the new edition to switch to the HSS (New) console.
- Currently, HSS is available in the following regions: CN South-Guangzhou, CN-Hong Kong, AP-Bangkok, and AP-Singapore.
- On the HSS (New) console, you can click Back to Old Console in the upper left corner to switch to the HSS (Old) console.
- If cloud scan is not enabled or you access the HSS (New) console for the first time, the Enable Cloud Scan? dialog box is displayed. You are advised to select Enable cloud scan.
Figure 2 Enabling cloud scan
- The cloud scan function is free of charge.
- After the cloud scan function is enabled, all HSS servers will be scanned. Some HSS quota editions can support only limited scanning capabilities. Therefore, you are advised to purchase the enterprise edition or higher to enjoy all capabilities of the cloud scan function.
- In the navigation pane on the left, choose Prediction > Vulnerabilities. On the displayed page, click Handle.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.Figure 3 Fixing vulnerabilities
- On the displayed page, select the affected servers and click Fix.
Figure 4 One-click vulnerability fix
- In the dialog box that is displayed, select "I am aware that if I have not backed up my ECSs before fixing vulnerabilities, services may be interrupted and fail to be rolled back during maintenance."
- Click OK to fix the vulnerability in one-click mode. The vulnerability status will change to Fixing.
If a vulnerability is fixed, its status will change to Fixed. If it fails to be fixed, its status will change to Failed.
Restart the system after you fixed a Linux kernel vulnerability, or HSS will probably continue to warn you of this vulnerability.
Manually Fixing Software Vulnerabilities
On the basic information page of a vulnerability, you can fix the detected vulnerabilities based on the fix suggestions. For more information, see Table 1.
- Fix the vulnerabilities in sequence based on the suggestions.
- If multiple software packages on the same server have the same vulnerability, you only need to fix the vulnerability once.
Restart the system after you fixed a Windows OS or Linux kernel vulnerability, or HSS will probably continue to warn you of this vulnerability.
yum update Software_name
apt-get update && apt-get install Software_name --only-upgrade
See the vulnerability fix suggestions for details.
Vulnerability fixing may affect service stability. You are advised to use either of the following methods to avoid such impact:
- Create an image for the ECS to be fixed. For details, see Creating a Full-ECS Image Using an ECS.
- Use the image to create an ECS. For details, see Creating ECSs Using an Image.
- Fix the vulnerability on the new ECS and verify the result.
- Switch services over to the new ECS and verify they are stably running.
- Release the original ECS. If a fault occurs after the service switchover and cannot be rectified, you can switch services back to the original ECS.
- Create a backup for the ECS to be fixed. For details, see Creating a CSBS Backup.
- Fix vulnerabilities on the current server.
- If services become unavailable after the vulnerability is fixed and cannot be recovered in a timely manner, use the backup to restore the server. For details, see Using Backups to Restore Servers.
- Use method 1 if you are fixing a vulnerability for the first time and cannot estimate impact on services. You are advised to choose the pay-per-use billing mode for the newly created ECS. After the service switchover, you can change the billing mode to yearly/monthly. In this way, you can release the ECS at any time to save costs if the vulnerability fails to be fixed.
- Use method 2 if you have fixed the vulnerability on similar servers before.
Some vulnerabilities are risky only in specific conditions. For example, if a vulnerability can be exploited only through an open port, but the target server does not open any ports, the vulnerability will not harm the server. Such vulnerabilities can be ignored.
Alarms will not be generated by HSS for ignored vulnerabilities.
Verifying Vulnerability Fix
After a vulnerability is fixed, you are advised to verify it immediately.
- Click Verify on the vulnerability details page.
- Ensure the software has been upgraded to the latest version. The following table provides the commands to check the software upgrade result.
Table 2 Verification commands
rpm -qa | grep Software_name
dpkg -l | grep Software_name
emerge --search Software_name
- Manually check for vulnerabilities and view the vulnerability fixing results.
HSS performs a full check every early morning. If you do not perform a manual verification, you can view the system check result on the next day after you fix the vulnerability.
Was this page helpful?Provide feedback
For any further questions, feel free to contact us through the chatbot.Chatbot