Understanding Red Hat products' vulnerabilities

Updated -

Numerous avenues exist to obtain data about CVEs that affect Red Hat products. In a Product Security Blog post, the future of Red Hat security data is discussed in depth.

This article summarizes the assorted available data streams that can be used to collect various security data published by Red Hat to understand vulnerabilities impacting Red Hat products.

  • The Red Hat CVE Database: Data on every CVE that affects any Red Hat product is cataloged in the Red Hat CVE Database. This is THE authoritative source of vulnerabilities in a human-readable format that impacts packages that are delivered as part of our Red Hat solutions.

  • The Red Hat Security Advisories Database: Human-readable information about every security advisory released by Red Hat for any product updates for the Red Hat portfolio.

  • Red Hat Security Advisories notifications: Red Hat offers a range of options to access release information; see Notifications and Advisories.

  • Red Hat CSAF: Machine-readable format released by Red Hat security advisories in the approved by the security industry data format: Common Security Advisory Framework (CSAF). CSAF data files are available through the Red Hat Customer Portal.

  • Red Hat VEX: Machine-readable data published for every single CVE that is registered in the Red Hat vulnerability database. VEX data files use CSAF format and are available through the Red Hat Customer Portal.

  • The Red Hat Security Data API: Another method to acquire Red Hat security data is through the Red Hat Security Data API. This is a powerful tool that provides this data in many different formats, depending on end-user needs.

  • Red Hat OVAL Data v2: Legacy OVAL v2 files are still updated for RHEL 7, 8, and 9. Please use the CSAF data instead, if possible, because the OVAL data format is going to be deprecated and will no longer be supported. CSAF is a more modern format that includes vulnerability information for all products, including layered products built on top of RHEL, such as OpenShift.

If your security scanner (SCA) found that your system or environment is affected by a given CVE, please use the above Red Hat security data to verify if the detection is accurate or not. You can learn more about the Vulnerability detection challenges in the Red Hat Vulnerability walkthrough videos. You can also use the Red Hat tutorial to process vulnerability scans manually.