Fixing Vulnerabilities and Verifying the Result

Constraints

• Vulnerability-related operations are not supported if your servers are not protected by HSS.
• The server Agent Status is Online, Server Status is Running, and Action is Protected.

Precautions

• Vulnerability fixing operations cannot be rolled back. If a vulnerability fails to be fixed, services will probably be interrupted, and incompatibility issues will probably occur in middleware or upper layer applications. To avoid unrecoverable errors, you are advised to use Cloud Server Backup Service (CSBS) to back up your servers. For details, see Creating a CSBS Backup. Then, use idle servers to simulate the production environment and test-fix the vulnerability. If the test-fix succeeds, fix the vulnerability on servers running in the production environment.
• Servers need to access the Internet and use external image sources to fix vulnerabilities. If your servers cannot access the Internet, or the external image sources cannot provide stable services, you can use the image source provided by HUAWEI CLOUD to fix vulnerabilities.

  Before fixing vulnerabilities online, configure the HUAWEI CLOUD image sources that match your server OSs. For details, see Image Source Management.

Urgency

• High: This vulnerability must be fixed as soon as possible. Attackers may exploit this vulnerability to damage the server.
• Medium: You are advised to fix the vulnerability to enhance your server security.
• Safe for now: This vulnerability has a small threat to server security. You can choose to fix or ignore it.

Vulnerability Display

• Vulnerabilities that failed to be fixed or have not been handled are always displayed in the vulnerability list.
• Fixed vulnerabilities will remain in the list within 30 days after it was fixed.

Fixing Vulnerabilities in One Click

You can fix vulnerabilities in Linux or Windows OS in one click on the console.

1. Log in to the management console.
2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
   Figure 1 Accessing HSS
   

3. In the displayed dialog box, click Try the new edition to switch to the HSS (New) console.
   

   • Currently, HSS is available in the following regions: CN South-Guangzhou, CN-Hong Kong, AP-Bangkok, and AP-Singapore.
   • On the HSS (New) console, you can click Back to Old Console in the upper left corner to switch to the HSS (Old) console.
   • If cloud scan is not enabled or you access the HSS (New) console for the first time, the Enable Cloud Scan? dialog box is displayed. You are advised to select Enable cloud scan.
     

     • The cloud scan function is free of charge.
     • After the cloud scan function is enabled, all HSS servers will be scanned. Some HSS quota editions can support only limited scanning capabilities. Therefore, you are advised to purchase the enterprise edition or higher to enjoy all capabilities of the cloud scan function.
     Figure 2 Enabling cloud scan
     

4. In the navigation pane on the left, choose Prediction > Vulnerabilities. On the displayed page, click Handle.
   

   If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.

   Figure 3 Fixing vulnerabilities
   

5. On the displayed page, select the affected servers and click Fix.
   Figure 4 One-click vulnerability fix
   

6. In the dialog box that is displayed, select "I am aware that if I have not backed up my ECSs before fixing vulnerabilities, services may be interrupted and fail to be rolled back during maintenance."
7. Click OK to fix the vulnerability in one-click mode. The vulnerability status will change to Fixing.

   If a vulnerability is fixed, its status will change to Fixed. If it fails to be fixed, its status will change to Failed.

   

   Restart the system after you fixed a Linux kernel vulnerability, or HSS will probably continue to warn you of this vulnerability.

Manually Fixing Software Vulnerabilities

On the basic information page of a vulnerability, you can fix the detected vulnerabilities based on the fix suggestions. For more information, see Table 1.

• Fix the vulnerabilities in sequence based on the suggestions.
• If multiple software packages on the same server have the same vulnerability, you only need to fix the vulnerability once.

Restart the system after you fixed a Windows OS or Linux kernel vulnerability, or HSS will probably continue to warn you of this vulnerability.

Vulnerability fixing may affect service stability. You are advised to use either of the following methods to avoid such impact:

Ignoring Vulnerabilities

Some vulnerabilities are risky only in specific conditions. For example, if a vulnerability can be exploited only through an open port, but the target server does not open any ports, the vulnerability will not harm the server. Such vulnerabilities can be ignored.

Alarms will not be generated by HSS for ignored vulnerabilities.

Verifying Vulnerability Fix

After a vulnerability is fixed, you are advised to verify it immediately.

Manual verification

• Click Verify on the vulnerability details page.
• Ensure the software has been upgraded to the latest version. The following table provides the commands to check the software upgrade result.

  Table 2 Verification commands

  OS	Verification Command
  CentOS/Fedora/EulerOS/Red Hat/Oracle	rpm -qa | grep Software_name
  Debian/Ubuntu	dpkg -l | grep Software_name
  Gentoo	emerge --search Software_name

• Manually check for vulnerabilities and view the vulnerability fixing results.

Automatic verification

HSS performs a full check every early morning. If you do not perform a manual verification, you can view the system check result on the next day after you fix the vulnerability.