Updated on 2024-04-15 GMT+08:00

Vulnerability Management Overview

Vulnerability management can detect Linux, Windows, Web-CMS, and application vulnerabilities and provide suggestions, helping you learn about server vulnerabilities in real time. Linux and Windows vulnerabilities can be fixed in one-click mode. This section describes how the vulnerabilities are detected and the vulnerabilities that can be scanned and fixed in each HSS edition.

The vulnerability list displays vulnerabilities detected in the last seven days. After a vulnerability is detected for a server, if you change the server name and do not perform a vulnerability scan again, the vulnerability list still displays the original server name.

How Vulnerability Scan Works

Table 1 describes how different types of vulnerabilities are detected.

Table 1 How vulnerability scan works

Type

Mechanism

Linux vulnerability

Based on the vulnerability database, checks and handles vulnerabilities in the software (such as kernel, OpenSSL, vim, glibc) you obtained from official Linux sources and have not compiled, reports the results to the management console, and generates alarms.

Windows vulnerability

Synchronizes Microsoft official patches, checks whether the patches on the server have been updated, pushes Microsoft official patches, reports the results to the management console, and generates vulnerability alarms.

Web-CMS vulnerability

Checks web directories and files for Web-CMS vulnerabilities, reports the results to the management console, and generates vulnerability alarms.

Application vulnerability

Detects the vulnerabilities in the software and dependency packages running on the server, reports risky vulnerabilities to the console, and displays vulnerability alarms.

Types of Vulnerabilities That Can Be Scanned and Fixed

For details about the types of vulnerabilities that can be scanned and fixed in different HSS editions, see Table 2.

The meanings of the symbols in the table are as follows:

  • √: supported
  • ×: not supported
Table 2 Types of vulnerabilities that can be scanned and fixed in each HSS edition

Vulnerability Type

Function

Enterprise Edition

Premium Edition

Web Tamper Protection Edition

Container Edition

Linux vulnerability

Automatic vulnerability scan (once a week by default)

Vulnerability policy configuration

Manual vulnerability scan

One-click vulnerability fix

(A maximum of 50 vulnerabilities can be fixed at a time.)

Windows vulnerability

Automatic vulnerability scan (once a week by default)

×

Vulnerability policy configuration

×

Manual vulnerability scan

×

One-click vulnerability fix

(A maximum of 50 vulnerabilities can be fixed at a time.)

×

Web-CMS vulnerability

Automatic vulnerability scan (once a week by default)

Vulnerability policy configuration

Manual vulnerability scan

One-click vulnerability fix

×

×

×

×

Application vulnerability

Automatic vulnerability scan (once a week by default)

Vulnerability policy configuration

Manual vulnerability scan

One-click vulnerability fix

×

×

×

×

  • HSS can scan for Web-CMS and application vulnerabilities but cannot fix them. You can log in to your server to manually fix the vulnerability by referring to the suggestions displayed on the vulnerability details page.
  • You can configure the automatic scan period, automatic scan scope, and vulnerability whitelist. For details about how to configure the automatic scan period and automatic scan scope, see Automatic Vulnerability Scan. For details about how to configure the vulnerability whitelist, see Managing the Vulnerability Whitelist.