Chapter 3. Refining vulnerability-service results

Whether reporting results to stakeholders or prioritizing systems for remediation, the vulnerability service enables many ways to refine the views of your data, helping you and others focus on your most critical systems, workloads, or issues. The following sections describe the organization of your data and the sorting, filtering, and contextual features you can use to refine and enrich your results.

3.1. CVE-list and systems-list filters

Filtering narrows the visible list of CVEs and associated systems, helping you focus on specific issues. Apply filters to the CVEs list to focus on CVEs by criticality or business risk, for example. After selecting an individual CVE, apply filters to the resulting list of affected systems to focus on those of a specific RHEL major or minor version, for example.

Filters are activated by selecting a primary filter from the drop down list of filters on the left, and then selecting a secondary subfilter from the filter options drop down list on the right. Selected filters are visible below the Filters menu and can be deactivated by clicking the X next to each one.

CVEs list filters

img vuln cves filter 1 context

The following primary filters are accessible from the CVEs page. Select the primary filter, then define a parameter in the subfilter:

  • CVE. Search ID or description.
  • Security rules. Show only CVEs with the "Security rule" label.
  • Known exploit. Show only CVEs with the "Known exploit" label.
  • Severity. Select one or more values: Critical, Important, Moderate, Low, or Unknown.
  • CVSS base score. Select one or more ranges: All, 0.0-3.9, 4.0-7.9, 8.0-10.0, N/A (not applicable)
  • Business risk. Select one or more values: High, Medium, Low, Not defined.
  • Systems exposed . Select to only show CVEs with systems currently affected, or with no systems affected.
  • Publish date. Select from All, Last 7 days, Last 30 days, Last 90 days, Last year, or More than 1 year ago.
  • Status. Select one or more values: Not reviewed, In review, On-hold, Scheduled for patch, Resolved, No action - risk accepted, Resolved via mitigation.

Systems list filters

img vuln filter systems context

The following primary filters are accessible from the top of the list of systems on the CVE details page:

  • Name. Find a specific CVE by entering the CVE ID.
  • Security rules. If the CVE has a security rule associated with it, filter by other systems vulnerable to the same security rule, or show systems not affected by the security rule.
  • Status. Show systems in specific status or workflow categories.
  • Advisory. Show systems to which a Red Hat advisory applies for this CVE.
  • Operating system. Show systems running specific RHEL (minor) versions.
  • Remediation. Show systems included in an Ansible Playbook, a manual remediation, or that are not included in a current remediation plan.

3.1.1. Filtering security-rule CVEs

Security rules, especially high-severity security rules, pose the greatest potential threat to your infrastructure and should be considered the highest priority for identification and remediation. Use the following procedure to view only high-severity security-rule CVEs in the CVEs list and identify affected systems.

Note

Not all systems exposed to a CVE are also exposed to a security rule associated with that CVE. Even though you may be running a vulnerable version of software, other environmental conditions may mitigate the threat; for example, a specific port is closed or SELinux is enabled.

Procedure

  1. Navigate to Security > Vulnerability > CVEs in Red Hat Insights for Red Hat Enterprise Linux.
  2. Click the filters dropdown list in the toolbar.

    1. Apply the Security rules filter.
    2. Apply the Has security rule subfilter.
  3. Scroll down to view security-rule CVEs. CVEs with security rules display the security-rule label located immediately below the CVE ID.

3.1.2. Remediating vulnerabilities with security rules on RHEL Systems

CVEs with security rules are CVEs prioritized by Red Hat because they focus on issues that have elevated risk to your systems. Remediating these issues helps support a security posture that prioritizes the most important issues for your organization. Using the vulnerability service and the remediations service, you can prioritize and remediate some of the most important threats to your systems by:

3.1.3. Filtering known-exploit CVEs

CVEs with the “Known exploit” label are determined by Red Hat to have exploits that exist in the wild; either the code exists publicly to exploit the CVE, or an exploit is known publicly to have already happened. For these reasons, known-exploit CVEs should be prioritized for identification and remediation.

Important

Red Hat does not determine whether any of your registered systems have been exploited. We are simply identifying CVEs that may pose an extraordinary risk.

Use the following steps to filter known-exploit CVEs in the CVEs list:

Procedure

  1. Navigate to Security > Vulnerability > CVEs in Red Hat Insights for Red Hat Enterprise Linux.
  2. Click the filters drop-down list in the toolbar.

    1. Apply the Known exploit filter.
    2. Apply the Has a known exploit subfilter.
  3. Scroll down to view the list of known-exploit CVEs.

3.1.4. Filtering CVEs without associated advisories

Some CVEs do not have associated advisories, also called errata. This might happen for any of the following reasons:

  • No fix is available for the CVE
  • Product Security analysis determines that the CVE affects your environment, but has no errata available for your environment (although the same CVE can have errata in other environments)
  • Your system is no longer under support
Important

CVE information is currently available for RHEL 6, 7, 8, and 9. No information is available for RHEL 5 systems.

Being able to identify the CVEs without advisories enables you to take measures to protect your organization from exposures associated with those vulnerabilities, so that you can take the necessary steps to address the issues.

If your version of RHEL does not have a fix available and is listed as “Will not fix,” consider the following criteria:

  • The impact of the vulnerability (severity)
  • The life cycle phase of your version of RHEL

If you decide that a fix is necessary for a CVE without an associated advisory, the following options are available:

  • Accept the risk
  • Upgrade to a supported product version that includes a fix for this vulnerability, if available (recommended)
  • Apply a mitigation (if one exists)

Additional resources

For more information about CVEs, see Common Vulnerabilities and Exposures

For more information about the severity ratings for vulnerabilities, see Understanding severity ratings.

For more information about product life cycles, see Life cycle and update policies.

To open a support case in the Customer Portal, see Customer support.

3.1.4.1. Enabling CVEs without advisories

Enabling CVEs without advisories allows you to access systems affected by CVEs without advisories in Insights.

This feature is enabled by default, but CVEs without advisories are hidden by default in the main view. This means that you must use filters to display and view CVEs without advisories.

Note

Red Hat’s policy requires Insights for Red Hat Enterprise Linux to display all high priority, critical, and important CVEs, regardless of whether those CVEs have associated advisories.

Prerequisites

  • Vulnerability administrator access to your environment in Red Hat Insights

Procedure

  1. From the Red Hat Insights for RHEL dashboard, navigate to Security > Vulnerability > CVEs.
  2. Click the More options icon (⋮) and select Show CVEs without Advisories. The list of advisories includes CVEs without advisories.

3.1.4.2. Disabling CVEs without advisories

To disable CVEs without advisories feature, deselect the Show CVEs without Advisories option.

The CVEs without advisories option is enabled by default, but the default view hides CVEs without advisories.

Note

Red Hat’s policy requires Insights for Red Hat Enterprise Linux to display all high priority, critical, and important CVEs, regardless of whether those CVEs have associated advisories.

Prerequisites

  • Vulnerability administrator access to your environment in Red Hat Insights
  • The list of advisories includes CVEs without advisories

Procedure

  1. From the Red Hat Insights for RHEL dashboard, navigate to Security > Vulnerability > CVEs.
  2. Click the More options icon (⋮) and select Hide CVEs without Advisories.

3.1.4.3. Viewing CVEs without advisories

The Show CVEs without Advisories option enables or disables CVEs without advisories. To view CVEs without advisories, the Show CVEs without Advisories option must be enabled.

Prerequisites

  • The Organization Administrator has enabled the CVEs without advisories option.

Procedure

  1. From the Red Hat Insights for RHEL dashboard, navigate to Security > Vulnerability > CVEs.
  2. From the filter drop-down, select Advisory.
  3. From the Filter by Advisory drop-down, select Not Available. The list of advisories shows all CVEs without advisories.

3.1.4.4. Identifying systems affected by a CVE without advisories

The CVE details page displays the list of all systems affected by the selected CVE. You can filter the list of systems to display the systems affected by the CVE where an advisory is not present.

Prerequisites

  • The Organization Administrator has enabled the CVEs without advisories option.

Procedure

  1. Identify a CVE without advisories for which you want to see systems that it affects. For more information about identifying CVEs without advisories, refer to Identifying systems with CVEs without Advisories.
  2. Select the identified CVE to navigate to the CVE details page. The CVE details page for that CVE displays. The page lists all the systems affected by that CVE.

    1. If you apply the Filter by Advisory filter and Not Available option when you select a CVE, these filters persist to the CVE details page.
    2. Otherwise, when you navigate to the CVE details page, select Advisory from the filters at the top of the page, and then Select Filter by Advisory, and click the Not Available checkbox. The list of systems updates to show only systems affected by that CVE without advisories. The Advisory column shows Not Available for each system in the list.
  3. Optional: To view details for the system, select the name of the system you want to view. The details page for the system displays.

3.1.4.5. Viewing CVEs without advisories in system details

The system details page displays the list of all CVEs that affect the selected system. You can filter the list of CVEs to display the CVEs without advisories.

Prerequisites

  • The Organization Administrator has enabled the CVEs without advisories option.

Procedure

  1. From the Red Hat Insights for RHEL dashboard, navigate to Security > Vulnerability > Systems. The Vulnerability systems page displays.
  2. Select a system ID from the list. The system details page for that system displays. The page lists all the CVEs that affect the selected system.
  3. Select Advisory from the filters at the top of the page.
  4. Select Filter by Advisory, and select the Not Available checkbox. The list of CVEs updates to show only CVEs without advisories. The Advisory column shows Not Available for each CVE in the list.
  5. Optional: To view details for the CVE, select the CVE ID for the CVE you want to view. The details page for the CVE displays.

3.2. Filtering lists of systems exposed to security rules

After filtering the list of CVEs to view only your most critical potential threats, select an individual CVE to view the list of exposed systems and apply a filter to the list.

Procedure

  1. After selecting a security-rule CVE, scroll down to the Exposed systems list. Not every system in the list has the security rule conditions present for the CVE to be a security rule. Apply the following filter to see only the systems with security rule conditions present.
  2. Select the Security rules filter from the primary filter dropdown list.
  3. Check the Has security rule box in the secondary subfilter dropdown list.
  4. View the systems with exposure to that CVE that also have the conditions present for the security rules.

3.3. Insights for RHEL group filters

The ability to filter vulnerability service results by groups of systems or workloads enables users to view only those systems tagged as belonging to a specific group. These can be systems running SAP workloads (or by SAP ID), by Satellite host groups, or by custom tags added to the Insights client configuration file.

Group filtering can be set globally in Insights for Red Hat Enterprise Linux using the Filter results box located at the top of the page throughout the Insights for Red Hat Enterprise Linux application. Group selection persists when changing from service to service and page to page. However, the functionality varies within the different Insights for Red Hat Enterprise Linux services.

Group filtering works in the vulnerability Dashboard and vulnerability service CVEs and Systems lists.

Learn more about group tags and configuring custom tags in Tags and system groups section of this document.

3.3.1. Filtering Dashboard, CVEs, and Systems lists by group

Use the following procedure to filter vulnerability service CVE and Systems lists by group.

Procedure

  1. Navigate to Red Hat Hybrid Cloud Console and log in.
  2. Open the Red Hat Insights for Red Hat Enterprise Linux application.
  3. Click the down arrow on the Filter results box located at the top of any page in the Insights application.
  4. Select a group by which to filter your systems.

    Search or scroll to view available tags. To browse the full list of available tags, scroll to the bottom of the list and click View more.

    Optionally,

    1. Select SAP workloads.
    2. Select systems by specific SAP IDs.
    3. Select Satellite host collections.
    4. Select systems identified by custom group tags.

      To learn more about creating custom tags, see section, Custom system tagging, in this document.

  5. Navigate to the service and view only systems or CVEs that belong to your selected group or groups.

3.4. Defining a business risk for a CVE

The vulnerability service allows you to define the business risk of a CVE with the following options: High, Medium, Low, or Not Defined (default).

While the list of CVEs shows the severity of each CVE, assigning a business risk lets you rank CVEs based on the impact they could have on your organization. This can give you more control in managing your risk efficiently in a large environment, and enable you to make better operational decisions.

By default, the business risk field for a specific CVE is set to Not Defined. After you set the business risk, it is visible in the Security > Vulnerability > CVEs list, in the CVE row.

img vuln assess cve business risk

Business risk is also visible on the details card for each CVE, which shows more information and lists affected systems.

img vuln assess cve details business risk

3.4.1. Setting a business risk for a single CVE

Complete the following steps to set the business risk for a single CVE:

Note

The business risk for that CVE will be the same on all systems impacted by it.

  1. Navigate to the Security > Vulnerability > CVEs page and log in if necessary.
  2. Identify a CVE for which to set a business risk.
  3. Click the more-actions icon (three vertical dots) on the right end of the CVE row and click Edit business risk.

    img vuln set bus risk

  4. Set a business risk value to the appropriate level and, optionally, add a justification for your risk assessment.
  5. Click Save.

3.4.2. Setting a business risk for multiple CVEs

Complete the following steps to set the same business risk on multiple CVEs that you select:

  1. Navigate to Security > Vulnerability > CVEs and log in if necessary.
  2. Check the boxes for the CVEs for which you want to set a business risk.
  3. Perform the following steps to set a business risk:

    1. Click the more-actions icon (three vertical dots) to the right of the Filters dropdown menu in the toolbar and click Edit business risk.
    2. Set an appropriate business risk value and, optionally, add a justification for your risk assessment.
    3. Click Save.

3.5. Excluding systems from vulnerability service analysis

The vulnerability service allows you to exclude specific systems from vulnerability analysis. This can save you the time and attention required to review and re-review issues on systems that are not relevant to your organization’s goals.

As an example, if you have the following category of servers: QA, Dev, and Production, you may not care to review the vulnerabilities for your QA servers and therefore want to exclude these systems from the analysis performed by the vulnerability service.

When you exclude systems from vulnerability analysis, the Insights client still runs per schedule on the system, but the results for the system are not visible in the vulnerability service. The continued operations of the client ensure that other Red Hat Insights for Red Hat Enterprise Linux services can still upload the data they need. It also means that you can still view results for those systems using filtering.

Complete the following steps to exclude selected RHEL systems from vulnerability service analysis:

Procedure

  1. Navigate to the Security > Vulnerability > Systems tab and log in if necessary.
  2. Check the box for each system you want to exclude from vulnerability analysis.
  3. Click the more-actions icon in the toolbar, at the top of the list of systems, and select Exclude systems from vulnerability analysis.

    img vuln assess systems exclude from ananlysis

  4. Optionally, you can exclude a single system by clicking the more-actions icon in the system row and selecting Exclude system from vulnerability analysis.

    img vuln assess systems exclude single system

3.6. Showing previously excluded systems

Complete the following steps to show a previously excluded system:

Procedure

  1. Navigate to the Security > Vulnerability > Systems tab and log in if necessary.
  2. Click the more-actions icon in the toolbar, at the top of the list of systems, and select Show systems excluded from analysis.
  3. See systems excluded from vulnerability analysis. This can be verified by the value of Excluded in the Applicable CVEs column.

3.7. Resuming vulnerability analysis for a system

Complete the following steps to resume vulnerability analysis for a system:

Procedure

  1. Navigate to the Security > Vulnerability > Systems tab and log in if necessary.
  2. Click the more-actions icon in the toolbar, at the top of the list of systems, and select Show systems excluded from analysis.
  3. In the list of results, check the box for each system for which you want to resume vulnerability analysis.
  4. Click the more-actions icon again and select Resume analysis for system.

3.8. CVE status

Another method of managing CVEs impacting your systems is by setting a status for CVEs. The vulnerability service enables the following ways of setting a status for a CVE:

  • Set a status for a CVE for all systems.
  • Set a status for a specific CVE + system pair.

Status values are preset and include the following options:

  • Not reviewed (default)
  • In-review
  • On-hold
  • Scheduled for patch
  • Resolved
  • No action - risk accepted
  • Resolved via mitigation

Setting a status for a CVE can facilitate better triaging through its life-cycle, from becoming aware of it to remediating it. Defining a status allows your organization to keep better tabs on where the most critical CVEs are in their life-cycle and where you should focus your efforts to address the most critical issues per your business need. The status for a CVE is visible in all CVE tables in the vulnerability service and in individual CVE views.

3.8.1. Setting a status for a CVE on all affected systems

Complete the following steps to set a status for a CVE and have that status apply to that CVE on all of the systems it impacts:

Procedure

  1. Navigate to the Security > Vulnerability > CVEs tab and log in if necessary.
  2. Click the more-actions icon located on the right end of the CVE row and select Edit status.
  3. Select the appropriate status and, optionally, enter a rationale for your decision in the Justification text box.
  4. Check Do not overwrite individual system status if there are statuses set for this CVE on individual systems and that you want to preserve. Otherwise, leave the box unchecked to apply this status to all of the systems it is impacting.
  5. Click Save.

3.8.2. Setting a status for a CVE and system pair

Complete the following steps to set a status on a CVE and system pair:

Procedure

  1. Navigate to the Security > Vulnerability > Systems tab and log in if necessary.
  2. Identify the system and click the system name to open it.
  3. Select a CVE from the list and check the box next to the CVE ID.
  4. Click the more-options icon in the toolbar and select Edit status.

    img vuln assess system cve edit status pair

  5. In the popup card, take the following actions:

    1. Set a status for the CVE and system pair.

      Note

      If the box to Use overall CVE status is checked, you cannot set a status for the pair.

    2. Optionally, enter a justification for your status determination.
    3. Click Save.
  6. Locate the CVE in the list and verify the status is set.

3.9. Using the Search box

The search function in the vulnerability service works in the context of the page you are viewing.

  • CVEs page. The search box is located in the toolbar at the top of the CVEs list. With the CVE filter set, search CVE IDs and descriptions.

    img vuln assess search cves

  • Systems page. The search box is located in the toolbar at the top of the list. Search for system name or UUID.

    img vuln assess systems search

3.10. Sorting CVE list data

The sorting functions in the vulnerability service differ based on the context of the page you are viewing.

Procedure

  1. In the CVEs tab, you can apply sorting to the following columns:

    • CVE ID
    • Publish date
    • Severity
    • CVSS base score
    • Systems exposed
    • Business risk
    • Status
  2. In the Systems tab, the following column can be sorted:

    • Name
    • Applicable CVEs
    • Last seen
  3. After selecting a system in the Systems tab, the system-specific list of CVEs allows the following sorting options:

    • CVE ID
    • Publish date
    • Impact
    • CVSS base score
    • Business risk
    • Status