Help Center/ SecMaster/ Best Practices/ Using SecMaster to Enable Efficient Security Operations/ Step 3: Perform Security Self-Checks and Rectification/ Vulnerability Management
Updated on 2026-06-24 GMT+08:00
View PDF
Share

Vulnerability Management

Vulnerabilities are the primary attack vectors attackers use to compromise enterprise systems. Exploiting these weaknesses can allow attackers to escalate privileges, exfiltrate sensitive information, or disrupt critical operations Fixing vulnerabilities in a timely manner enhances system security and reduces attack risk.

SecMaster helps you identify and address configuration risks and system vulnerabilities. SecMaster manages vulnerabilities by category: Linux, Windows, Web-CMS, application, and website vulnerabilities.

  • Linux vulnerabilities include common vulnerabilities in Linux and components, such as kernel vulnerabilities and component vulnerabilities.
  • Windows vulnerabilities include the latest vulnerabilities and patches for Windows.
  • Web-CMS vulnerabilities include common issues in frameworks like phpMyAdmin.
  • Application vulnerabilities: include vulnerabilities disclosed in common applications, such as Fastjson and Apache Log4j 2.
  • Website vulnerabilities: include detected vulnerabilities on protected websites. Currently, only manual import of vulnerability data is supported. Note that website vulnerabilities cannot be automatically fixed. You can manually fix them by referring to the suggestions provided on the vulnerability details page.

Fixing Description

  • Linux and Windows vulnerabilities
    • The OS vulnerabilities listed below represent the most critical risks to enterprise security and have been consistently prioritized by red teams in cybersecurity drills over the past two years. HSS can detect these vulnerabilities. If HSS detects any of them, fix them first.
      • Linux DirtyPipe privilege escalation vulnerability (CVE-2022-0847)
    • If the affected software is not started or has no open port, the actual risk is low, and the vulnerability can be fixed later.
  • Application vulnerabilities
    • HSS cannot scan vulnerabilities in commercial software such as Yonyou and Kingdee. You need to check for vulnerabilities in commercial software by yourself.
    • If application vulnerabilities on a web server cannot be fixed, you can configure security group rules to allow only intranet access or use WAF for protection. Note that this only mitigates risk. Lateral movement and rule bypass can still open the door to intrusion.
    • The application vulnerabilities listed below represent the most critical risks to enterprise security and have been consistently prioritized by red teams in cybersecurity drills over the past two years. HSS can detect these vulnerabilities. If HSS detects any of them, fix them first.
      • Nginx WebUI remote command execution vulnerability
      • Nacos deserialization vulnerability
      • Apache RocketMQ command injection vulnerability (CVE-2023-33246)
      • Apache Kafka remote code execution vulnerability (CVE-2023-25194)
      • WebLogic remote code execution vulnerability (CVE-2023-21839)
      • Atlassian Bitbucket Data Center remote code execution vulnerability (CVE-2022-26133)
      • Apache CouchDB remote code execution vulnerability (CVE-2022-24706)
      • F5 BIG-IP command execution vulnerability (CVE-2022-1388)
      • Fastjson 1.2.8 deserialization vulnerability (CVE-2022-25845)
      • Atlassian Confluence OGNL injection vulnerability (CVE-2022-26134)
      • Apache Log4j2 remote code execution vulnerability (CVE-2021-44228)

Prerequisites

Ensure that your services are in off-peak hours or within a specific change time window when fixing vulnerabilities.

Procedure for Fixing Vulnerabilities

  1. Log in to the SecMaster console.
  2. Go to the target workspace.
  3. In the navigation pane on the left, choose Risk Prevention > Vulnerabilities.

    Figure 1 Accessing the Vulnerabilities page

  4. Filter Unhandled Linux, Windows, and application vulnerabilities whose Severity is High first and fix them.

    Before fixing vulnerabilities, confirm with your service personnel whether the fixing will affect services.

  5. Fix the vulnerabilities.

    • Fixing Linux and Windows vulnerabilities

      Click the name of the target vulnerability. On the Vulnerability Details slide-out panel, click the Affected Resources tab. In the resource list, locate the row containing the target resource and click Repair in the Operation column. The system will prompt that the fix operation has been successfully triggered.

      Vulnerability fixing operations cannot be rolled back. If a vulnerability fails to be fixed, services will probably be interrupted, and incompatibility issues will probably occur in middleware or upper-layer applications. To avoid unrecoverable errors, you are advised to use Cloud Server Backup Service (CSBS) to back up your servers. For details, see Creating a CSBS Backup. Then, use idle servers to simulate the production environment and test-fix the vulnerability. If the test-fix succeeds, fix the vulnerability on servers running in the production environment.

    • Fixing Web-CMS and application vulnerabilities

      Click the name of the target vulnerability. On the Vulnerability Details slide-out panel, locate rectification suggestions, and fix the vulnerability for each asset listed in the Affected Resources area. The procedure is as follows:

      1. Log in to the server affected by the vulnerability and manually fix the vulnerability.

        Vulnerability fixing may affect service stability. You are advised to use either of the following methods to avoid such impact:

        • Method 1: Create a VM to fix the vulnerability.
          1. Create an image for the ECS whose vulnerability needs to be fixed. For details, see Creating a Full-ECS Image from an ECS.
          2. Use the image to create an ECS. For details, see Creating an ECS from an Image.
          3. Fix the vulnerability on the new ECS and verify the result.
          4. Switch services over to the new ECS and verify they are stably running.
          5. Release the original ECS. If a fault occurs after the service switchover and cannot be rectified, you can switch services back to the original ECS.
        • Method 2: Fix the vulnerability on the current server.
          1. Create a backup for the ECS to be fixed. For details, see Creating a CSBS Backup.
          2. Fix vulnerabilities on the current server.
          3. If services become unavailable after the vulnerability is fixed and cannot be recovered in a timely manner, use the backup to restore the server. For details, see Using Backups to Restore Servers.
        • Use method 1 if you are fixing a vulnerability for the first time and cannot estimate the impact on services. You are advised use pay-per-use billing for newly created ECSs. After the service switchover, you can change the billing mode to yearly/monthly. In this way, you can release the ECSs at any time to save costs if the vulnerability fails to be fixed.
        • Use method 2 if you have fixed the vulnerability on similar servers before.