Warning message

Log in to add comments.

Anatomy of a Red Hat Security Advisory

Red Hat published on 2013-04-24T13:00:14+00:00, last updated 2013-04-24T13:00:14+00:00

Red Hat Security Advisories (RHSA) document the security flaws being fixed in Red Hat products. They include:

  • The affected products the advisory applies to.
  • The security rating of the update (low, moderate, important, critical).
  • A brief description of the flaws being fixed.
  • How an attacker could exploit the issues, such as whether they need privileges or not.
  • Any manual action that may be required, such as restarting applications that use an affected library, or configuration file changes.
  • In the case of ZIP updates for certain JBoss products, information on where to find the update in the Red Hat Customer Portal.

The advisories also link to a page containing the GPG keys used to sign the packages and instructions for verification, and the key used to communicate securely with the Red Hat Security Response Team and to sign the advisories that are mailed to the enterprise-watch-list, rhsa-announce, rhev-watch-list, and jboss-watch-list mailing lists.

Where to find the advisories

The content of RHSAs can be viewed with the pup tool on Red Hat Enterprise Linux 5 and the PackageKit tool on Red Hat Enterprise Linux 6. These tools only display advisories that affect the given system, for example, an advisory for package1 will not be displayed if package1 is not installed on your system. The yum tool will not display the content of the advisory, just the affected package name. Updates will not be displayed by these tools or be able to be installed on systems that are not registered to the Red Hat Network or a Red Hat Network Satellite server. E-mail notification of new updates is available from the Red Hat Network.

Security advisories for all packages and all products can be viewed on https://rhn.redhat.com/errata/ or via the enterprise-watch-list, rhsa-announce, rhev-watch-list, and jboss-watch-list mailing lists. Note that non-security advisories are not mailed to these lists.

Users of JBoss products distributed as ZIP files from the Red Hat Customer Portal are encouraged to subscribe to the jboss-watch-list mailing list. E-mail notification of new updates can also be configured in the Customer Portal.

Advisory content

Using RHSA-2013:0608 as an example, the advisory's synopsis provides the overall security impact and the name of the affected package:

Important: kvm security update

The Red Hat Security Response Team rates the impact of security issues in Red Hat products using a four-point scale (low, moderate, important, and critical). The four-point scale tells you how serious Red Hat considers an issue to be, helping you judge the severity and determine what the most important updates are. The scale takes into account the potential risk based on a technical analysis of the exact flaw and its type, but not the current threat level; a given rating will likely not change if an exploit or worm is later released for a flaw, or if one is available before the release of a fix.

The package name is the actual package name that you would find on your system, for example, "yum install kvm", not the project or product name, Kernel-based Virtual Machine (KVM).

The heading information that follows notes when the advisory was released (the "Issued on" date); if the advisory was modified after the initial release (the "Last updated on" date); all of the Red Hat Network channels the affected package resides in; and the Common Vulnerabilities and Exposures (CVE) names that are fixed by the advisory.

CVE names are listed after security descriptions, rather than Red Hat Bugzilla numbers which are found after bug fix and enhancement descriptions. Refer to the Red Hat and CVE compatibility page for more information about CVE.

Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The next two paragraphs provide:

  • The affected package name (kvm).
  • The product the update applies to (Red Hat Enterprise Linux 5).
  • How many security issues are being fixed, and whether there are also bug fixes and enhancements with the update.
  • The advisory's overall impact, which is the impact of the highest rating flaw. An advisory may fix one impact important issue and several low impact issues, but the overall impact will be important.
  • A pointer to the Common Vulnerability Scoring System (CVSS) base scores, which provide a more detailed rating than the four-point scale. Refer to https://access.redhat.com/security/updates/classification/ for more information about CVSS.

The package name and impact allow you to tell at a glance if the advisory is something you need to deal with immediately.

This section is important for JBoss updates shipped via ZIP files in the Customer Portal as it will detail the exact version the update is for. An example from RHSA-2013:0569:

An update for the JBoss Web Services component in JBoss Enterprise SOA Platform 4.3 CP05 and JBoss Enterprise Portal Platform 4.3 CP07 which fixes one security issue is now available from the Red Hat Customer Portal.

The next paragraph typically describes what the package (or product) provides and does:

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel.

Descriptions for the flaws the update fixes follow:

A flaw was found in the way QEMU-KVM emulated the e1000 network interface card when the host was configured to accept jumbo network frames, and a guest using the e1000 emulated driver was not. A remote attacker could use this flaw to crash the guest or, potentially, execute arbitrary code with root privileges in the guest. (CVE-2012-6075)

In this case, the description provides:

  • Where the flaw is.
  • The configuration required to be affected by the flaw. Configuration details are not always provided, such as when the default configuration is affected, or when configuration changes do not change whether a flaw affects your system or not.

The description will note if the issue only affects certain architectures, such as an issue that only affects 64-bit systems, but not 32-bit systems.

  • Who can trigger the issue, such as whether the issue can be triggered remotely over a network, or if you must be on the local system.
  • The result of successfully exploiting the issue, such as causing a denial of service, obtaining information you would otherwise not be able to access without the flaw, or executing arbitrary code with the privileges of the vulnerable process.
  • The CVE number assigned to the issue.

For kernel errata, individual impacts are listed after each description. An example from RHSA-2013:0695:

... A local, unprivileged user could use this flaw to escalate their privileges. (CVE-2013-0871, Important)

Individual impacts for issues in non-kernel errata can be found in the Red Hat CVE Database. For example, the top of the page on https://access.redhat.com/security/cve/CVE-2012-6075 notes:

CVE-2012-6075
Impact: Important

JBoss errata typically contain a Warning after the descriptions, noting if anything should be backed-up before applying the update.

The final paragraph usually describes if the issues were fixed by backporting patches, or if the package was upgraded to a new upstream version. It will also note any manual actions required to apply the update, if any:

All users of kvm are advised to upgrade to these updated packages, which contain backported patches to correct this issue. Note that the procedure in the Solution section must be performed before this update will take effect.

We use the term backporting to describe when we take a fix for a security flaw out of the most recent version of an upstream software package and apply that fix to an older version of the package we distribute. With backporting, customers need to be aware that just looking at the version number of a package will not tell them if they are vulnerable to an issue or not. Refer to the Backporting Security Fixes page for further information.

It is important to read the last paragraph, even though it often looks like boilerplate, as it may contain important information about how to apply the update.

The Solution section contains a link to the Red Hat Knowledgebase article that describes how to install the update. This section may contain manual steps needed to apply the update.

The "Bugs fixed (see bugzilla for more information)" section contains links to Red Hat Bugzilla where more detailed information about the fixed issues can sometimes be found.

The References section links to entries in the Red Hat CVE Database. Here you can find the CVSS scores for the issues, other products the issues have been fixed in, if any, and any statements about the issues (for example, a future update may correct the issue in a different product).

A link is also provided to the page that explains the four-point severity rating scale and in-depth information about CVSS scoring.

The References field sometimes links to upstream advisories, or other sources providing additional information about the issues.

End of life notifications

End of life notifications are shipped as security advisories. Such notifications could be for packages, for example:

https://rhn.redhat.com/errata/RHSA-2013-0666.html

Or for products, for example:

https://rhn.redhat.com/errata/RHSA-2012-1015.html

Other sources of information

The Red Hat CVE Database provides information about CVE named issues, including CVSS scores, errata that have fixed the issue (if any), and official statements about whether an issue affects or does not affect Red Hat products.

If you have a CVE name and cannot find an errata for the issue, you can use the database to check for official statements. For example, the "Statement" section of https://access.redhat.com/security/cve/CVE-2013-0151 explains that CVE-2013-0151 does not affect Red Hat products. The "Statement" section of https://access.redhat.com/security/cve/CVE-2013-0157 explains the issue has already been fixed in Red Hat Enterprise Linux 6, and that a future update may fix it in Red Hat Enterprise Linux 5.

The "Statement" section contains official statements from the Red Hat Security Response Team. The "Details" section contains text from The MITRE Corporation. It is not uncommon to find "** RESERVED **" text in this section until MITRE's database has been updated with a description. Note that the text from MITRE is not specific to Red Hat products.

Knowledgebase articles are created for critical impact issues, as well as issues customers would consider critical even if we did not rate them as impact critical. The articles sometimes contain mitigation information that can be used until updates have been released and applied. Searching the Customer Portal based on a CVE name will find related Knowledgebase articles if they exist.

Contact secalert@redhat.com if you are unsure about how a known vulnerability affects a Red Hat product or service.

English

Product

Red Hat Enterprise Linux

Tags

security

About The Author

RH Red Hat

Red Hat

This user is used for automation in Pantheon as part of the Docs publishing toolchain.