Retired: This application is now retired.

IAVM Mapper (RETIRED)

Updated -

Note
*This application is not able to update the IAVM list and related CVEs it provides since February 2017. The reason is that a public service that published the IAVM information on IASE (Information Assurance Support Environment) needed by this application stopped working in February. *

About

This tool lists IAVM reports that are related to Red Hat CVE's.

Usage

Pick an IAVM ID from the picker, the report information will load in the "IAVM Information" panel.

16 Comments

Subscriber exclusive content

An active Red Hat subscription is required to participate.

Log In

If an IAVM is not listed (e.g. 2014-B-0064), does this mean it does not apply to Red Hat? It would be helpful to have it say N/A if it is not applicable, or at least have it present and all the CVE's under it show N/A as done before.

Yes this is exactly what is happening.
Since you think it might be useful, I have added an option in to select whether you want to see non Red Hat IAMVs.

Let me know what you think.

Another helpful feature would be if the front page could keep the selected IAVM up. For now, I was having to select the IAVM each time I came back from looking at a CVE. However, a workaround is to right click the CVEs and open them in a new tab. I really appreciate you making this tool available as it has saved a bunch of time from having to manually search the CVE database from each IAVA.

I've changed the code so that new tabs are always opened.
Let me know if this resolves the issue you had.

FYI, I also noticed there are weird symbols at the top of the IAVM Mapper page, including a "5" and a ")".

What browser and version are you using?
Do you see that on any other portal pages?

The changes you made have made this useful tool even more helpful! Thank you for making them, and your quick attention to implementing them. I don't know if symbols are on other portal pages (this is the only portal page I am familar with). I am using Internet Explorer 8.

This is definitely a welcome addition to my bookmarked pages. Thank you for this tool Red Hat. I wish some of the other vendors would take note.

The Nav bar with "Labs > IAVM Mapper" does seem to have a slight problem in that it matches the lighter grey on the sidebars so the text is invisible (CSS/color perhaps?). I'm also seeing the previously mentioned symbols with what appears to be a button and a text field (using IE 8). I haven't run into these symbols on any other Red Hat pages.

Is there a possibility of actually listing the software name i.e. openssl or sssd-devel if a patch is delivered by RH? That way it is easily identified by security personnel as to what needs to be updated.

Is this site no longer being maintained? I have found it to be very helpful, but it doesn't appear to have been updated in a while.

It should be continuously updated. The latest entry I see is:
"""
IAVM Report for 2014-B-0129
Severity: Category I
Title: Multiple Vulnerabilities in Wireshark
Release Date: 25 Sep 2014
"""

Which was 4 days ago. This shows up when I select "Include non Red Hat IAVMs?". Let me know if there is something else you see missing.

I would at least expect to see 2014-A-0142 listed as applicable to Red Hat.

Ahh I see. The IAVM to Red Hat CVE mapping hints were missing in some XML that was being parsed (XML that drives this app).
I've put in a fix for this, also I changed the sorting slightly so the letter in the IAVM does not cause the sequential numbering to sort incorrectly.

Let me know the change looks good to you. Thanks.

It appears to be working much better now. Thank you!

There is one issue I noticed with the sort... In this case, since the IAVB numbers are "lagging" behind the IAVA numbers, they appear further down on the list, and could be missed by people checking the site. I wonder if it would be feasible to add an option to filter on IAVAs vs. IAVBs (and maybe IAVTs, but I haven't seen one of those in a great while). Another alternative would be to state on the front of the page that they are now sorted by number, and ask the user to look in the list where the IAVB should appear.

OK... the "Include non RedHat IAVMis a PITB...what is it doing? Asking about each IAVM that does not apply? How about a checkbox that would apply globaly?

The "Include non Red Hat IAVMs?" lets you pick IAVMs in the select list that might not map to Red Hat CVEs. The default is to only show IAVMs that do map to Red Hat CVEs.
Once "yes/no" is chosen it is "global" in that the selection persists as you pick IAVMs... it should not change back once you've made a selection.

Let me know if this clears things up for you.

Would it be possible to expose an API to this service?

Or, would it be possible to make available the IAVM to Redhat CVE XML that drives this site?

Thanks!

Would it be possible to expose an API to this service?

Sure, the API is exposed but not documented. You can use browser tools to see what the JavaScript is doing, or just use this:

list iava's GET https://access.redhat.com/labs/iavmmapper/api/iava
show iava GET https://access.redhat.com/labs/iavmmapper/api/iava/2015-A-0170

Or, would it be possible to make available the IAVM to Redhat CVE XML that drives this site?

Yeah, no problem... the iavmmapper API correlates information from two XML sources:
http://iasecontent.disa.mil/stigs/xml/iavm-to-cve%28u%29.xml and https://www.redhat.com/security/data/metrics/cvemap.xml

Both are publicly available, but both are large. Please be mindful of their size and cache them if you decide to use the files in an app. For instance, this lab caches both files for 2 hours.

Thanks!

No problem.

Oh, I forgot to mention... the API also supports filtering out IAVA's that are not Red Hat specific.
https://access.redhat.com/labs/iavmmapper/api/iava?include_all=Yes
https://access.redhat.com/labs/iavmmapper/api/iava?include_all=No

Without a parameter the API defaults to Yes. This Lab's front end toggles this filter param when you switch the "Include non Red Hat IAVMs?" input.

I assume that the IAVAs listed here:
https://access.redhat.com/labs/iavmmapper/api/iava?include_all=No

are filtering the IAVAs that were superceded by a later IAVA?

Thanks Ian

We are using http://iasecontent.disa.mil/stigs/xml/iavm-to-cve%28u%29.xml and thus we inherit any filtering that is done on that XML file.
I am not sure that this answers your question though, let me know if it does not.

Oh, but the include_all=No param filters out items that dont have a corresponding entry in https://www.redhat.com/security/data/metrics/cvemap.xml

That makes sense. Thanks Ian.

Another question: Is there any other source you know of for me to easily determine the specific RPMs affected and versions of RPMs needed to address the IAVA. I have offline machines that don't have access to a Satellite server and I am working on developing a tool that I can run locally on any RHEL box to tell me if it is "IAVA Compliant". The tool would obviously need to be regularly updated on the Internet with the latest CVE/IAVA/RPM info, then transferred to the offline system...

I would follow this guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sect-Practical_Examples.html. Using both the OpenSCAP scanner and the CVE content provided by Red Hat Security, it should give you what you are looking for.

We are now using Tripwire, and that uses NIST standards, and a different numbering system. I need to search by finding, IE' /dev/shm nosuid

When I search for IAVA 2015-A-1074, it automatically shows 2015-A-0199 on the same line in the picker, but it shows nothing in the IAVM Information panel. When choosing an IAVA that shows up by itself in the picker, it seems to do the right thing and show information in the IAVM Information panel. Please fix. Also, when I select "no" for 'include non-Red Hat IAVMs', it still shows non-Red Hat IAVMs, for example, 2015-A-0222 which is for Apple IOS. Not only that, but the ones I've looked at don't map to a corresponding RHSA or bugzilla link, which pretty much renders this tool fairly useless. I want to be able to use this tool to search for or click on a specific IAVA and find out what Red Hat package (if any) fixes that IAVA.

I did not get to thoroughly investigate what made this change, I noticed in the XML source I am using that there are now fields that have the iavas listed together with commas. I changed the app to split on all of those commas though so the "IAVA, IAV, IAVA" pattern should not happen anymore. Please let me know if everything is okay.

Yes, the comma-separated IAVAs on the same line seems to be fixed. I'm still seeing some non-Red Hat IAVAs showing up, eg. Apple IOS. And again, I think this would be a much more useful tool in a Red Hat context if it linked to applicable RHSAs and/or Bugzilla entries. I can just look at the IAVA to see what CVEs it is linked to. I need something that tells me which Red Hat packages (if any) fix a particular IAVA.

I am looking for IAVA 2015-A-0250, specifically for Redhat. It's not found and so I'm wondering if it's even real. Where would I go to find the source for these? DISA? IASE? Thanks.

I think this would be a much more useful tool in a Red Hat context if it linked to applicable RHSAs and/or Bugzilla entries. I can just look at the IAVA to see what CVEs it is linked to. I need something that tells me which Red Hat packages (if any) fix a particular IAVA. Doesn't that make sense?

I'm not seeing any IAVAs in the picker newer than 2015-A-0223, which was from September. There have been many IAVAs since then that are applicable to Red Hat.

I think you might as well remove this tool if you aren't going to maintain it. It's a shame though, since you have so much product in use within the government.

I am working on rewriting the app. The feeds that we relied on hosted by DISA have changed and thus you are seeing this stale information. I think I have new datasources that will provide enough information to build out the old functionality.

Cool. I had to massage a few data sources together, but now current things should be in the list.

Thanks Ian, it now appears to have current content. However, it is still listing non-Red Hat IAVAs (eg. Cisco, Microsoft, etc.) even when I have it set to NOT show non-Red Hat IAVAs.

Is this tool the definitive list that shows if an IAVM is applicable to Redhat products? If not, where is the definitive list? I'm looking for a Redhat document or similar I can use as a reference. I know there is the Redhat CVE database, but what if the IAVM doesn't have a CVE mapping as in the case of IAVM 2016-B-0060? Is there a document that says Redhat has determined this IAVM doesn't apply?

I can say with certainty that there exists at least one IAVA 2016-A-XXXX, no longer available through the Red Hat iavmmapper tool, which lists CVEs that are resolved by RHSAs.

I'm intentionally not mentioning specifics, to avoid leaking FOUO data.

For anyone interested in accessing the great data provided by this app from a cmdline-interface, check out:

access.redhat.com/discussions/2713931#find-cves-by-iava

Kudos to the lab apps team for making this data available.

I've run into some IAVAs that aren't present in the app, e.g., 2016-A-0102, 2016-B-0060. 2015-A-0264. I'm curious about it.

Ryan,

We will look at why there are missing.

I'm getting 404 errors from the redhat site when I click on the CVE links. This happens after clearing browser history in chrom, and logging back into the site.

Hi Andy. I'm not one of the maintainers for this app, but I'd like to point out a few things: (1) The "Include non Red Hat IAVMs?" checkbox seems to be broken. When it's set to "No" for me, I still see tons of IAVMs that only include CVEs for non-RH products. (2) When the app generates a URL for a CVE, it doesn't check to see if that CVE exists in our Red Hat CVE database first -- ideally, it might check that and then conditionally display a link to cve.mitre.org instead. For example: 2017-B-0003 lists one VMware CVE which of course won't be in our database but the app still generates a link to our DB instead of sending you to cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7456.

Long story short: I suspect your problem is that you're trying to follow bogus links to non-RH CVEs.

While I have hope that the team behind this Labs App will continue to maintain it, you might want to check this; New cmdline tool using Red Hat's new Security Data API: rhsecapi. The upside: it's a lot more flexible in how it lets you query IAVAs and display output -- you can pass it as many IAVAs as you want via --iava or -i and can optionally use --urls to see URLS, e.g.:

$ rhsecapi --iava=2016-A-0353 --iava 2017-B-0003 -i 2016-B-0185 --urls 
[NOTICE ] rhsda: Valid Red Hat IAVA results retrieved: 2 of 3
[NOTICE ] rhsda: Number of CVEs mapped from retrieved IAVAs: 4

2016-A-0353 (https://access.redhat.com/labs/securitydataapi/iava?number=2016-A-0353)
  TITLE    : Multiple Vulnerabilities in Samba
  SEVERITY : CAT I
  ID       : 140722
  CVES     :
   CVE-2016-2123 (https://access.redhat.com/security/cve/CVE-2016-2123)
   CVE-2016-2125 (https://access.redhat.com/security/cve/CVE-2016-2125)
   CVE-2016-2126 (https://access.redhat.com/security/cve/CVE-2016-2126)

2017-B-0003
  Not present in Red Hat IAVA database

2016-B-0185 (https://access.redhat.com/labs/securitydataapi/iava?number=2016-B-0185)
  TITLE    : Apache ActiveMQ HTML Injection Vulnerability
  SEVERITY : CAT I
  ID       : 140712
  CVES     :
   CVE-2016-6810 (https://access.redhat.com/security/cve/CVE-2016-6810)

(Also note in the above how 2017-B-0003 isn't present, since it's not for Red Hat products.)

Even better, you can tell rhsecapi to query full details about the relevant CVEs by adding the --extract-cves option, e.g.:

$ rhsecapi --iava=2016-A-0353 --iava 2017-B-0003 -i 2016-B-0185 --urls --extract-cves 
[NOTICE ] rhsda: Valid Red Hat IAVA results retrieved: 2 of 3
[NOTICE ] rhsda: Number of CVEs mapped from retrieved IAVAs: 4
[NOTICE ] rhsda: Valid Red Hat CVE results retrieved: 4 of 4

CVE-2016-2123 (https://access.redhat.com/security/cve/CVE-2016-2123)
  SEVERITY : Critical Impact (https://access.redhat.com/security/updates/classification)
  DATE     : 2016-12-19
  BUGZILLA : https://bugzilla.redhat.com/show_bug.cgi?id=1392702
  FIX_STATES :
   Not affected: Red Hat Gluster Storage 3.1 [samba]
   Not affected: Red Hat Enterprise Linux 5 [samba3x]
   Not affected: Red Hat Enterprise Linux 5 [samba]
   Not affected: Red Hat Enterprise Linux 6 [samba4]
   Not affected: Red Hat Enterprise Linux 6 [samba]
   Not affected: Red Hat Enterprise Linux 7 [samba]

CVE-2016-2126 (https://access.redhat.com/security/cve/CVE-2016-2126)
  SEVERITY : Moderate Impact (https://access.redhat.com/security/updates/classification)
  DATE     : 2016-12-19
  BUGZILLA : https://bugzilla.redhat.com/show_bug.cgi?id=1403115
  FIX_STATES :
   Affected: Red Hat Gluster Storage 3.1 [samba]
   Will not fix: Red Hat Enterprise Linux 5 [samba3x]
   Will not fix: Red Hat Enterprise Linux 5 [samba]
   Affected: Red Hat Enterprise Linux 6 [samba4]
   Affected: Red Hat Enterprise Linux 6 [samba]
   Will not fix: Red Hat Enterprise Linux 7 [samba]

CVE-2016-2125 (https://access.redhat.com/security/cve/CVE-2016-2125)
  SEVERITY : Moderate Impact (https://access.redhat.com/security/updates/classification)
  DATE     : 2016-12-19
  BUGZILLA : https://bugzilla.redhat.com/show_bug.cgi?id=1403114
  FIX_STATES :
   Affected: Red Hat Gluster Storage 3.1 [samba]
   Will not fix: Red Hat Enterprise Linux 5 [samba3x]
   Will not fix: Red Hat Enterprise Linux 5 [samba]
   Affected: Red Hat Enterprise Linux 6 [samba4]
   Affected: Red Hat Enterprise Linux 6 [samba]
   Will not fix: Red Hat Enterprise Linux 7 [samba]

CVE-2016-6810 (https://access.redhat.com/security/cve/CVE-2016-6810)
  SEVERITY : Moderate Impact (https://access.redhat.com/security/updates/classification)
  DATE     : 2016-12-09
  BUGZILLA : https://bugzilla.redhat.com/show_bug.cgi?id=1404645
  FIX_STATES :
   Affected: Red Hat Jboss A-MQ 6 [mq-web-console]
   Not affected: Red Hat Jboss Fuse 6 [activemq]
   New: Red Hat Jboss Fuse Service Works 6 [activemq]
   New: Red Hat OpenShift Enterprise 2 [activemq]

The downside compared to the IAVM Mapper app is of course that it's not a web-app; you'll need to run it from the cmdline of an internet-connected machine.

The issue is fixed and released. Checkbox for "Include non Red Hat IAVMs?" works again. For Red Hat IAVMs, at least one cve is reported in Red Hat Customer Portal.

When is the IAVM list going to be updated? The list has not been updated since February 2017.

I too was wondering this.

Hi melissa and Arthur ,

A public data source that the app depends on is shut down. We are actively working to find an alternative.
We will update here once it's done. Thanks for your patience.

Thanks, Dong

Dong,

Thank you for the quick response. If you need a customer to vouch for the DoD benefit of Red Hat having this information to DISA, let me know.

-Arthur

Sure. Thanks a lot, Arthur!

This app pulls IAVM-CVE mapping data from http://iasecontent.disa.mil. disa stopped to release the mapping data a few months ago due to some internal change. We currently have no other alternatives but have to wait for disa to restart releasing the mapping data. We are actively talking to them.

Any word on the IAVM Mapper being up again? I know, waiting on the government to fix their side can be a painful process... but still, just curious if an update is available or not.

Hi Brad, Thanks for your patience. Unfortunately, the last message we heard is that they have no plan to restart publishing the data. We will have to close this app.

Thanks, Dong