Security Data

Red Hat Product Security is committed to providing tools and security data to help security measurement. Part of this commitment is our participation at board level in various projects such as MITRE CVE and OVAL. We also provide reports and metrics, but more importantly, we also provide the raw data below so customers and researchers can produce their own metrics, for their own unique situations, and hold us accountable.

The data resources linked on this page as well as their alternative representations available through the Security Data API are licensed under the Creative Commons Attribution 4.0 International License. If you distribute this content or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original.

CSAF/VEX Documents

The Common Security Advisory Framework (CSAF) standard enables organizations to share information about security issues using a consistent and common format. We provide Red Hat security advisories in CSAF format using the VEX profile.

• CSAF GA announcement blog post
• Link to CSAF documents

CVRF Documents

Note: CVRF files will be discontinued on September 1st, 2023; please migrate to using CSAF files before this date.

The Common Vulnerability Reporting Framework (CVRF) standard enables organizations to share information about security issues using a consistent and common format. We provide Red Hat security advisories in CVRF format.

• CVRF compatibility FAQ
• Link to CVRF documents

OVAL Definitions

Note: OVAL/DS v1 files will be discontinued on April 1, 2023; see OVAL v1 deprecation announcement for more information.

OVAL definitions are available for vulnerabilities that were addressed in errata for Red Hat Enterprise Linux and select additional products. To completely evaluate your system you will need to evaluate it against the streams for all products installed on that system.

• OVAL compatibility FAQ
• OVAL Streams directory
• Repository to CPE mappings
  • Used for matching OVAL security data to installed RPMs
  • Each repository also includes a set of relative URLs from where the content of the repository can be downloaded
• SCAP source data stream files
• Links to the deprecated non-stream OVAL files (Red Hat Enterprise Linux only):
  • OVAL definitions (consolidated XML file, .bz2) (constantly updated)
  • OVAL repository (separate files)
  • SCAP source data stream files

Vulnerability Statements and Acknowledgments

We publish acknowledgments and official statements for vulnerabilities currently under investigation and for vulnerabilities that do not affect our products and services. These statements appear on our CVE pages.

• cve-metadata-from-bugzilla.xml

Vulnerability Metrics Data

CVE to date, CVE to severity, CVE to CVSS mapping

This data source maps CVE names to the dates the issues were first known to the public. This helps generate statistics based on "days of risk". This data source also captures the severity of the issues and how we found out about them (dates and sources). Although the dates may come from third parties, the severity classifications are given by Red Hat Product Security and are specific to Red Hat, and will vary for other distributions and vendors:

• cve_dates.txt

RHSA to date mapping

This data source is a mapping of Red Hat Security Advisories to the dates and times the advisories were issued.

• release_dates.txt

RHSA to CVE and CPE mapping

This data source is a mapping of Red Hat Security Advisories to the vulnerabilities fixed (identified by CVE name). This file contains the product names affected in CPE format, and the package names, allowing the file to be filtered by a product or package subset:

• rhsamapcpe.txt

CPE lists for default installations

Red Hat Enterprise Linux ships with a large number of packages, but they are not all installed by default. These files give lists of packages in default installations, which can be used to filter the metrics. The format is the CPE name with the package name appended:

• Red Hat Enterprise Linux 8 Server (minimal install)
• Red Hat Enterprise Linux 7 Server (default install)
• Red Hat Enterprise Linux 6 Server (default install)
• Red Hat Enterprise Linux 6 Client (default install)
• Red Hat Enterprise Linux 5 Server (default install)
• Red Hat Enterprise Linux 4 AS (default install)
• Red Hat Enterprise Linux 4 WS (default install)

CVE to CWE mapping

This data source is a mapping of CVE addressed by Red Hat Security Advisories to the associated vulnerability CWE chain:

• cvemapcwe.txt

RPM to CVE mapping

This data source is a mapping of RPM packages that correct a given CVE addressed by Red Hat Security Advisories:

• rpm-to-cve.xml

CPE Dictionary

CPE is a structured naming scheme for information technology systems, software, and packages. For reference, we provide a dictionary mapping the CPE names we use, to Red Hat product descriptions. Some of these CPE names will be for new products that are not in the official CPE dictionary, and should therefore be treated as temporary CPE names:

• cpe-dictionary.xml

Data Analysis

We provide a Perl script which creates reports based on the cve_dates.txt, release_dates.txt, and rhsamapcpe.txt data sources above. For a given product, such as Red Hat Enterprise Linux, and a date range, the script can list all the security issues fixed by severity and gives a "days of risk" metric, displayed as "Average is x days", as well as vulnerability work flow statistics. For example, run the following command to create a summary report of all Critical advisories for Red Hat Enterprise Linux 8:

perl daysofrisk.pl --cpe enterprise_linux:8 --severity C

• daysofrisk.pl

Sample Reports

You can use the daysofrisk.pl script to run sample reports based on the above data sources. The following are pre-generated examples:

• Red Hat Enterprise Linux 8 (all packages) - Critical flaws
• Red Hat Enterprise Linux 7 (all packages) - Critical flaws
• Red Hat Enterprise Linux 6 (all packages) - Critical flaws
• Red Hat Enterprise Linux 5 (all packages) - Critical flaws
• Red Hat Enterprise Linux 5 Server (default installation packages) - all flaws regardless of severity