Vulnerability management aims to help customers scan for security vulnerabilities in the system and provide information on vulnerabilities and remediation suggestions, etc. For some vulnerabilities, precise defense can be enabled and automatic fix can be carried out. This document will introduce how to perform vulnerability management.
Explanation
To unlock the vulnerability management feature, there must be at least one Professional/Flagship Edition host.
The scope of vulnerability management is as follows:
Vulnerability Management Feature | Vulnerability Type | Linux System | Windows System |
Vulnerability Scanning Suitable for Professional Version and flagship edition hosts | Linux software vulnerability | ✓ | × |
| Windows system vulnerability | × | ✓ |
| Web-CMS vulnerability | ✓ | ✓ |
| Application vulnerability | ✓ | ✓ |
Vulnerability Defense Suitable for flagship edition hosts | Linux software vulnerability | × | × |
| Windows system vulnerability | × | × |
| Web-CMS vulnerability | ✓Only supports some vulnerabilities | × |
| Application vulnerability | ✓Only supports certain vulnerabilities | × |
Automatic Vulnerability Fix Suitable for flagship edition hosts | Linux software vulnerability | ✓ Only supports certain vulnerabilities | × |
| Windows system vulnerability | × | × |
| Web-CMS vulnerability | ✓ Only supports certain vulnerabilities | ✓ Only supports certain vulnerabilities |
| Application vulnerability | × | × |
Because vulnerability repair may impact user business, automatic vulnerability repair does not occur immediately after vulnerabilities are detected. Users must understand the vulnerabilities and click repair and perform data backup before automatic repair can be carried out.
Operating system lifecycle limitation. For operating systems that have entered the end-of-life status (i.e., versions of operating systems for which official updates have been stopped), Cloud Workload Protection Platform will no longer provide scanning and repair support for newly emerged vulnerabilities after the end-of-life date. Vulnerabilities that appeared before the end-of-life date will still be supported, and the range of supported vulnerabilities will not be affected. The list of end-of-life systems is as follows:
Operating System Version | Official End-Of-Life Date |
Windows Server 2003 | July 14, 2015 |
Windows Server 2008 | January 14, 2020 |
Windows Server 2008 R2 | January 14, 2020 |
Windows Server 2008 SP2 | January 14, 2020 |
Windows Server 2012 | October 10, 2023 |
Windows Server 2012 R2 | October 10, 2023 |
Ubuntu 12.04 LTS | April 28, 2017 |
Ubuntu 14.04 LTS | April 2019 |
Ubuntu 16.04 LTS | April 2021 |
Ubuntu 18.04 LTS | April 2023 |
CentOS 5 | March 31, 2017 |
CentOS 6 | November 30, 2020 |
CentOS 7 | June 30, 2024 |
CentOS 8 | December 31, 2021 |
Vulnerability Scanning
1. Log in to the Cloud Workload Protection Platform Console, and click Vulnerability Management in the left sidebar.
2. In the Vulnerability Scanning module, one-click scan and scheduled scan settings are supported.
Click One-click Scan, and a pop-up for one-click scan settings will appear, where you can set the vulnerability category, vulnerability level, scan timeout duration, and scan server range for this scan.
Click Scan Settings to open the vulnerability settings pop-up and anchor to Scheduled Scan. You can set the scheduled scan switch, period, vulnerability level, and vulnerability category.
Click Details to view the details of the last scan, and it supports downloading PDF scan reports and Excel scan results.
Vulnerability Defense
In the Vulnerability Defense module, it supports Start/Stop of the vulnerability defense switch, viewing the number of bastion host units, the number of successful defenses, and the defense trend.
Click Defense Settings to open the vulnerability settings pop-up and anchor to Vulnerability Defense. You can set the vulnerability defense switch, view protectable vulnerabilities, select the protection host range, and view prevention plugin details.
Click successful prevention count, and you can view the attacks that have been successfully defended against, as well as the attack details.
Vulnerability Disposition
1. Below the vulnerability management page, you can view the statistics of currently detected vulnerabilities and the detailed vulnerability list.
2. In the Vulnerability Overview module, the vulnerability detection status, the number of network attack events, and today's new cases are displayed, as well as the total number of host security vulnerability databases.
Field Descriptions:
High-Priority Repair Vulnerabilities: This category displays heat attack vulnerabilities as well as serious/high-risk vulnerabilities that need priority fixing. By default, it counts the number of vulnerabilities to be fixed. Click Custom Rule to make a custom rule judgment for high-priority repair vulnerabilities.
All Vulnerabilities: The total number of detected Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, and application vulnerabilities.
Affected Hosts: The number of hosts with detected vulnerabilities.
Network Attack Events: Statistics on the quantity of network attack events in the past month.
Supported Vulnerabilities: You can view the vulnerability library supported for detection by Cloud Workload Protection Platform (CWPP). A maximum of 25 searches can be performed daily, and a single search can display up to 100 results.
3. In the Vulnerability List module, the specific vulnerabilities currently detected are displayed, which are divided into two categories: emergency vulnerabilities and all vulnerabilities. There is not much difference between the two features. Below, taking All Vulnerabilities as an example, we introduce the disposition of vulnerabilities.
Field Descriptions:
Vulnerability Name/Tag: The vulnerability name refers to the currently detected vulnerability, and the tag refers to the tag of the vulnerability (such as remote exploitation, service restart, existence of EXP, etc.).
Detection mode: Version comparison, POC validation.
Vulnerability Type: Linux software vulnerability, Windows system vulnerability, Web-CMS vulnerability, application vulnerability.
Threat Level: Serious, High Risk, Medium Risk, Low Risk.
Network-wide attack level: High, medium, low, no heat.
CVSS: Refers to the score of the Common Vulnerability Scoring System, with a score range from 0 to 10, where 0 represents the least serious and 10 represents the most serious.
CVE number: The unique identifier for identifying this vulnerability in the Common Vulnerabilities and Exposures repository.
Last scan time: The most recent time this vulnerability was scanned.
Affected Hosts: The number of hosts with this vulnerability.
Processing status: to be fixed, fix, scanning, fixed, ignored, fix failure.
Automatic Fix Status: Not supported for fixing, can be automatically fixed (no restart required), can be automatically fixed (restart required).
Operation
Fixing solution: For vulnerabilities that do not support automatic repair, you can click Fixing solution to open the vulnerability details pop-up and manually fix the vulnerability according to the fixing solution.
Automatic Fix: Some Linux software vulnerabilities and Web-CMS vulnerabilities support automatic fixing. You can click Automatic Fix to open the vulnerability details pop-up window, select the server that needs to be fixed, and for more details, see Automatic Vulnerability Fix.
More: Rescan (rescan this vulnerability); Ignore (ignore this vulnerability and no longer scan this host for this vulnerability in the future).