Using rhsecapi to query the Red Hat Security Data API

Updated -

Overview

Note: The following information has been provided by Red Hat, but is outside the scope of the posted Service Level Agreements and support procedures (Production Support - Red Hat Customer Portal). The information is provided as-is and any configuration settings or installed applications made from the information in this article could make the Operating System unsupported by Red Hat Global Support Services. The intent of this article is to provide information to accomplish the system's needs. Use of the information in this article at the user's own risk.

The Red Hat Security Data API 1 is the primary source of Red Hat Security team response. This differs from the OVAL definition dataset 2 provided with Red Hat Enterprise Linux 3 through Red Hat Enterprise Linux 8, as that dataset is only applicable to CVEs 3 that have been addressed via Errata 4.

To simplify the use of the Red Hat Security Data API, the rhsecapi utility is provided as a courtesy to those wishing to make use of that dataset.

Installation

The rhsecapi utility is available via an externally-available COPR repository.

kwalker/rhsecapi Copr

Using the instructions above, the following example commands install the script on a Red Hat Enterprise Linux 7 system.

$ sudo yum-config-manager --add-repo https://copr.fedorainfracloud.org/coprs/kwalker/rhsecapi/repo/epel-7/kwalker-rhsecapi-epel-7.repo
$ sudo yum install rhsecapi

Basic Usage

Query by CVE

Querying a single CVE is as simple as providing it on the command line.

$ rhsecapi CVE-2013-4113

CVE-2013-4113
  SEVERITY : Critical Impact
  DATE     : 2013-07-11
  BUGZILLA : 983689
  FIXED_RELEASES :
   Red Hat Enterprise Linux 5: [php-5.1.6-40.el5_9] via RHSA-2013:1049 (2013-07-12)
   Red Hat Enterprise Linux 5: [php53-5.3.3-13.el5_9.1] via RHSA-2013:1050 (2013-07-12)
   Red Hat Enterprise Linux 6: [php-5.3.3-23.el6_4] via RHSA-2013:1049 (2013-07-12)
   Red Hat Enterprise Linux Extended Lifecycle Support 3: [php-4.3.2-56.ent] via RHSA-2013:1063 (2013-07-15)
   Red Hat Enterprise Linux Extended Lifecycle Support 4: [php-4.3.9-3.37.el4] via RHSA-2013:1063 (2013-07-15)
   Red Hat Enterprise Linux EUS (v. 5.6 server): [php-5.1.6-27.el5_6.5] via RHSA-2013:1061 (2013-07-15)
   Red Hat Enterprise Linux EUS (v. 5.6 server): [php53-5.3.3-1.el5_6.3] via RHSA-2013:1062 (2013-07-15)
   Red Hat Enterprise Linux Extended Update Support 6.2: [php-5.3.3-3.el6_2.10] via RHSA-2013:1061 (2013-07-15)
   Red Hat Enterprise Linux Extended Update Support 6.3: [php-5.3.3-14.el6_3.1] via RHSA-2013:1061 (2013-07-15)
   Red Hat Enterprise Linux Long Life (v. 5.3 server): [php-5.1.6-23.4.el5_3] via RHSA-2013:1061 (2013-07-15)
  FIX_STATES :
   Affected: Red Hat Software Collections 1 for Red Hat Enterprise Linux [php54-php]
   Not affected: Red Hat Enterprise Linux 7 [php]

Multiple CVEs can be provided at one time and each will be retrieved.

$ rhsecapi CVE-2013-4113 CVE-2014-3669

CVE-2013-4113
  SEVERITY : Critical Impact
  DATE     : 2013-07-11
  BUGZILLA : 983689
  FIXED_RELEASES :
   Red Hat Enterprise Linux 5: [php-5.1.6-40.el5_9] via RHSA-2013:1049 (2013-07-12)
   Red Hat Enterprise Linux 5: [php53-5.3.3-13.el5_9.1] via RHSA-2013:1050 (2013-07-12)
   Red Hat Enterprise Linux 6: [php-5.3.3-23.el6_4] via RHSA-2013:1049 (2013-07-12)
   Red Hat Enterprise Linux Extended Lifecycle Support 3: [php-4.3.2-56.ent] via RHSA-2013:1063 (2013-07-15)
   Red Hat Enterprise Linux Extended Lifecycle Support 4: [php-4.3.9-3.37.el4] via RHSA-2013:1063 (2013-07-15)
   Red Hat Enterprise Linux EUS (v. 5.6 server): [php-5.1.6-27.el5_6.5] via RHSA-2013:1061 (2013-07-15)
   Red Hat Enterprise Linux EUS (v. 5.6 server): [php53-5.3.3-1.el5_6.3] via RHSA-2013:1062 (2013-07-15)
   Red Hat Enterprise Linux Extended Update Support 6.2: [php-5.3.3-3.el6_2.10] via RHSA-2013:1061 (2013-07-15)
   Red Hat Enterprise Linux Extended Update Support 6.3: [php-5.3.3-14.el6_3.1] via RHSA-2013:1061 (2013-07-15)
   Red Hat Enterprise Linux Long Life (v. 5.3 server): [php-5.1.6-23.4.el5_3] via RHSA-2013:1061 (2013-07-15)
  FIX_STATES :
   Affected: Red Hat Software Collections 1 for Red Hat Enterprise Linux [php54-php]
   Not affected: Red Hat Enterprise Linux 7 [php]

CVE-2014-3669
  SEVERITY : Moderate Impact
  DATE     : 2014-09-18
  BUGZILLA : 1154500
  FIXED_RELEASES :
   Red Hat Enterprise Linux 5: [php53-5.3.3-26.el5_11] via RHSA-2014:1768 (2014-10-30)
   Red Hat Enterprise Linux 5: [php-5.1.6-45.el5_11] via RHSA-2014:1824 (2014-11-06)
   Red Hat Enterprise Linux 6: [php-5.3.3-40.el6_6] via RHSA-2014:1767 (2014-10-30)
   Red Hat Enterprise Linux 7: [php-5.4.16-23.el7_0.3] via RHSA-2014:1767 (2014-10-30)
   Red Hat Enterprise Linux Extended Update Support 6.5: [php-5.3.3-27.el6_5.3] via RHSA-2015:0021 (2015-01-08)
   Red Hat Software Collections 1 for Red Hat Enterprise Linux 6: [php54-php-5.4.16-22.el6] via RHSA-2014:1765 (2014-10-30)
   Red Hat Software Collections 1 for Red Hat Enterprise Linux 6: [php55-php-5.5.6-13.el6] via RHSA-2014:1766 (2014-10-30)
   Red Hat Software Collections 1 for Red Hat Enterprise Linux 7: [php54-php-5.4.16-22.el7] via RHSA-2014:1765 (2014-10-30)
   Red Hat Software Collections 1 for Red Hat Enterprise Linux 7: [php55-php-5.5.6-13.el7] via RHSA-2014:1766 (2014-10-30)
Advanced Queries

The --q-product flag can be used to gather a list of CVEs applicable to a specific product. In the output below, this is being paired with the --q-after <date> flag to limit the returned CVEs to only those since July 1st 2019.

$ rhsecapi --q-product "Red Hat Enterprise Linux 8" --q-after 2019-07-01

CVE ID          PUB DATE    BUGZILLA  SEVERITY   CVSS2  CVSS3  RHSAS  PKGS
CVE-2019-2769   2019-07-16  1730056   moderate          5.3     7      5  
CVE-2019-2818   2019-07-16  1730078   low               3.1     2      2  
CVE-2019-2816   2019-07-16  1730099   moderate          4.8     7      5  
CVE-2019-2842   2019-07-16  1730110   moderate          3.7     5      3  
CVE-2019-2821   2019-07-16  1730251   moderate          5.3     2      2  
CVE-2019-2786   2019-07-16  1730255   low               3.1     7      5  
CVE-2019-2745   2019-07-16  1730411   moderate          5.1     7      5  
CVE-2019-2762   2019-07-16  1730415   moderate          5.3     7      5  
CVE-2019-11709  2019-07-10  1728430   critical          8.8     6      6  
CVE-2019-11711  2019-07-10  1728431   important         7.5     6      6  
CVE-2019-11712  2019-07-10  1728432   important         7.5     6      6  
CVE-2019-11713  2019-07-10  1728433   important         7.5     6      6  
CVE-2019-11715  2019-07-10  1728434   moderate          6.1     6      6  
CVE-2019-11717  2019-07-10  1728435   moderate          6.1     6      6  
CVE-2019-11730  2019-07-10  1728438   moderate          6.1     6      6  
CVE-2019-9811   2019-07-10  1728439   important         7.5     6      6  

This can be further limited via the other --q-<type> flags. The example below shows that there has only been a single CVE ranked above a CVSSv3 score of 8:

# rhsecapi --q-product "Red Hat Enterprise Linux 8" --q-after 2019-07-01 --q-cvss3 "8"

CVE ID          PUB DATE    BUGZILLA  SEVERITY  CVSS2  CVSS3  RHSAS  PKGS
CVE-2019-11709  2019-07-10  1728430   critical         8.8     6      6  

To show further details beyond the summary above, the -x flag can be provided. This results in the initail list of CVEs returned to be used as a starting point in which to conduct a full query for each.

$ rhsecapi --q-product "Red Hat Enterprise Linux 8" --q-after 2019-07-01 --q-cvss3 "8" -x

CVE-2019-11709
  SEVERITY : Critical Impact
  DATE     : 2019-07-10
  BUGZILLA : 1728430
  FIXED_RELEASES :
   Red Hat Enterprise Linux 6: [firefox-60.8.0-1.el6_10] via RHSA-2019:1765 (2019-07-11)
   Red Hat Enterprise Linux 6: [thunderbird-60.8.0-1.el6_10] via RHSA-2019:1777 (2019-07-15)
   Red Hat Enterprise Linux 7: [firefox-60.8.0-1.el7_6] via RHSA-2019:1763 (2019-07-11)
   Red Hat Enterprise Linux 7: [thunderbird-60.8.0-1.el7_6] via RHSA-2019:1775 (2019-07-15)
   Red Hat Enterprise Linux 8: [firefox-60.8.0-1.el8_0] via RHSA-2019:1764 (2019-07-11)
   Red Hat Enterprise Linux 8: [thunderbird-60.8.0-1.el8_0] via RHSA-2019:1799 (2019-07-16)
  FIX_STATES :
   Out of support scope: Red Hat Enterprise Linux 5 [firefox]

All fields available via the API can be retrieved via the addition of the -a flag:

$ rhsecapi --q-product "Red Hat Enterprise Linux 8" --q-after 2019-07-01 --q-cvss3 "8" -x -a

CVE-2019-11709
  SEVERITY : Critical Impact
  DATE     : 2019-07-10
  CWE      : CWE-120
  CVSS3    : 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
  BUGZILLA : 1728430
  ACKNOWLEDGEMENT :  
   Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Andreea Pavel, Christian Holler, Honza Bambas, Jason Kratzer, and Jeff Gilbert as the original reporters.
  DETAILS  : 
   Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could
   be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
  REFERENCES :
   https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11709
  FIXED_RELEASES :
   Red Hat Enterprise Linux 6: [firefox-60.8.0-1.el6_10] via RHSA-2019:1765 (2019-07-11)
   Red Hat Enterprise Linux 6: [thunderbird-60.8.0-1.el6_10] via RHSA-2019:1777 (2019-07-15)
   Red Hat Enterprise Linux 7: [firefox-60.8.0-1.el7_6] via RHSA-2019:1763 (2019-07-11)
   Red Hat Enterprise Linux 7: [thunderbird-60.8.0-1.el7_6] via RHSA-2019:1775 (2019-07-15)
   Red Hat Enterprise Linux 8: [firefox-60.8.0-1.el8_0] via RHSA-2019:1764 (2019-07-11)
   Red Hat Enterprise Linux 8: [thunderbird-60.8.0-1.el8_0] via RHSA-2019:1799 (2019-07-16)
  FIX_STATES :
   Out of support scope: Red Hat Enterprise Linux 5 [firefox]

More Information

Contrary to the OVAL dataset, the rhsecapi and the Red hat Security Data API can be used to query CVEs that have not yet been identified as part of a particular product, or are in the process of being evaluated by Red Hat Security. Where the above Advanced Queries section shows only a single CVE with a CVSSv3 score above 8, the below query shows quite a few more:

$ rhsecapi --q-after 2019-07-01 --q-cvss3 "8"

CVE ID          PUB DATE    BUGZILLA  SEVERITY   CVSS2  CVSS3  RHSAS  PKGS
CVE-2019-13300  2019-07-17  1730580   moderate          8.8     0      0  
CVE-2019-13298  2019-07-17  1730590   moderate          8.8     0      0  
CVE-2019-13308  2019-07-16  1730342   moderate          8.8     0      0  
CVE-2019-13306  2019-07-16  1730357   moderate          8.8     0      0  
CVE-2019-13305  2019-07-16  1730361   moderate          8.8     0      0  
CVE-2019-13304  2019-07-16  1730364   moderate          8.8     0      0  
CVE-2019-13303  2019-07-16  1730368   moderate          8.8     0      0  
CVE-2019-5847   2019-07-15  1731071   important         8.8     0      0  
CVE-2018-17196  2019-07-11  1732309   important         8.8     0      0  
CVE-2019-11709  2019-07-10  1728430   critical          8.8     6      6  
CVE-2019-11710  2019-07-09  1730990   critical          8.8     0      0  
CVE-2019-10137  2019-07-01  1702604   important         8.1     1      1  

Using the above list as a guide, we can see that at least one of the CVEs currently would not be reflected in the OVAL dataset as it doesn't have an associated Errata.

$ rhsecapi CVE-2019-11710

CVE-2019-11710
  SEVERITY : Critical Impact
  DATE     : 2019-07-09
  BUGZILLA : 1730990
  FIX_STATES :
   Out of support scope: Red Hat Enterprise Linux 5 [firefox]
   Not affected: Red Hat Enterprise Linux 6 [firefox]
   Not affected: Red Hat Enterprise Linux 7 [firefox]
   Not affected: Red Hat Enterprise Linux 8 [firefox]