Understanding Red Hat products' vulnerabilities

Updated -

There are numerous avenues to get data about CVEs that affect Red Hat Products. In a Product Security Blog post, the history and outputs of Red Hat security vulnerabilities is discussed in depth.

This Article summarizes the assorted available data streams that can be used to understand vulnerabilities impacting Red Hat products.

  • DaysofRisk Script: The daysofrisk.pl script uses a series of data files on the Red Hat customer portal and provides a wide-range of details around the delivery of fixes, by product, by date, and by criticality. The daysofrisk script and all data files and usage descriptions can be found on the Security Data page of the Red Hat Customer Portal.

  • RHSA-Announce-List: Red Hat provides a mailing list for anyone interested in having updates sent to them as Red Hat Security Advisories (RHSA) are published.

  • The Red Hat CVE Database: Data on every CVE that affects any Red Hat product is cataloged in the Red Hat CVE Database. This is THE authoritative source of vulnerabilities that impact packages that are delivered as part of our Red Hat solutions.

  • Red Hat Security Advisories: Also on the Red Hat Customer Portal, a listing of all RHSAs that are available is provided on the Security Advisories Page. Interested parties can also sign up for email alerts here by clicking the Notification Preferences button.

  • Red Hat OVAL Data v1: Red Hat provides information about all vulnerabilities that have been addressed through an RHSA via an Open Vulnerability Assessment Language OVAL repository. The 1.0 OVAL files covers RPM packages provided by Red Hat Enterprise Linux (RHEL). OpenSCAP is a tool provided by Red Hat that can perform configuration compliance checking as well as vulnerability scanning based upon this OVAL data. SCAP data is available via the same Security Metrics page.

  • Red Hat CVRF: another popular format for sharing vulnerability information is the Common Vulnerability reporting Framework (CVRF). CVRF data files are available through the Red Hat Customer Portal.

  • The Red Hat Security Data API: Another method to acquire this security data is through the Red Hat Security Data API. This is a powerful tool that provides this data in many different formats, depending on end-user need. A tool is available to help simplify the use of the API. The rhsecapi tool has a comprehensive documentation

  • Red Hat OVAL Data v2: starting in 2019, OVAL data files were provided for RPM-based layered products that run on top of RHEL. The OVAL v2 files are available. Starting late summer 2019 the OVAL data will be augmented to also provide not only information about vulnerabilities that have security advisories, but also issues that are still under analysis, that are impacting out-of-support versions of Red Hat software, or issues that Program Management has closed as "WONTFIX".

If your security scanner found that your system is affected by a given CVE, you can visit the Red Hat Customer Portal page for that CVE for an assessment. Append the CVE number at the end of the URL and visit https://access.redhat.com/security/cve/<cve-identification>. For example, for CVE-2019-10160 you would visit https://access.redhat.com/security/cve/cve-2019-10160. In that page you will find the issue assessment, which errata fixed the vulnerability or even discover that some implementations might not be affected at all by the vulnerability.