My vulnerability scanner found many vulnerabilities, where do I start?

Updated -

Red Hat places a strong emphasis on our customers’ security. The following recommendations are being given to ensure that you are spending your time investigating and remediating vulnerabilities when an automated scanner has returned a list of many CVEs.

Confirming Results

One first step to consider when receiving an unusually high number of vulnerability reports on a system is to check the configuration of the automated reporting mechanism. Relying on a misconfigured automated reporting mechanism could result in lost time following up on false positives, and missed actual vulnerabilities.

For more information about the configuration of an individual vulnerability scan, please contact the certified vulnerability partner or other provider for that tool. Information about how to contact support for certified vulnerability partners can be found under Get Started > Support when you click through to an individual partner listed in the Vulnerability Management Collection.

Backported Security Fixes

Red Hat backports security fixes to the stable versions of packages that we ship as a way to provide security without introducing version incompatibilities. This can sometimes confuse third-party security tools, as they see what they believe is a vulnerable version of a package without understanding that Red Hat has already backported corrections and security fixes. This process is described in detail here:

Taking Action

For more on understanding the actions to take resulting from automated vulnerability reporting tools and vulnerability scans, please review the following information:

Reviewing a List of CVEs

In order to review the status of many CVEs at one time, Red Hat has created the CVE Checker Lab. This allows you to input a comma-separated list of CVEs and receive information about each one:

CVE Checker

Comments