Security glossary

Abstract Syntax Notation One (ASN.1)

Abstract Syntax Notation One is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data.

Adjacent attacker

An attacker who can reach the vulnerable component from across short-range networks such as Bluetooth.

Affected

A security flaw in the source code or product; does not directly translate into something exploitable.

Application linked with a <library_name>

Application leveraging functionalities or features exported by the library <library_name>.

Arbitrary code execution (ACE)

The ability for a local attacker to execute arbitrary code on the system by exploiting a vulnerability. Exploiting such a vulnerability may allow the attacker to perform any action on the system, with the privileges of the exploited component.

Arbitrary memory read

Arbitrary memory read means the attacker has the unrestricted ability to read memory of their choosing in a given context. It can lead to information disclosure.

Arbitrary memory write

Arbitrary memory write means the attacker has the unrestricted ability to write to memory of their choosing in a given context. It can lead to a denial of service or (in some cases) arbitrary code execution.

Authenticated attacker

An attacker who has to perform an authentication step (log in) to perform intended actions.

Brute force

Brute force is an attack or technique using a trial-and-error method to access accounts, usually in rapid repetition. For example, an attacker can systematically check all possible passwords and passphrases using a repetitive or iterative mechanism until the correct one is found.

Buffer overflow

The software copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. It can lead to a denial of service or (in some cases) arbitrary code execution.

Source: https://cwe.mitre.org/data/definitions/120.html

Capabilities

Linux kernel uses capabilities to compartmentalize the one all-mighty UNIX root privilege into a set of non-overlapping sub privileges (called capabilities) that can be individually assigned where higher granularity than root/non-root is suitable.

Refer following for capabilities list - https://man7.org/linux/man-pages/man7/capabilities.7.html

Clickjacking

Clickjacking is a web security vulnerability that occurs when a victim user is tricked into clicking on UI objects that appear to belong to a foreground decoy web page, while they actually belong to a hidden background web page.

Source:
https://cwe.mitre.org/data/definitions/1021.html

Code Scanning

A tool for identifying potential security issues within an application.

Common Vulnerabilities and Exposures (CVE)

A list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw assigned a CVE ID number.

Common Vulnerability Scoring System (CVSS)

An industry standard for assessing the severity of security vulnerabilities.

Common Weakness Enumeration (CWE)

A community-developed list of common weaknesses seen in software and hardware that can lead to significant security risks during development. They are part of the vulnerability assessment review.

Content Security Policy (CSP)

CSP is a client side protection that aims to detect and mitigate injection attacks like XSS. CSP helps browsers put together policies to prevent unauthorized code execution and unnecessary access to the resources of web applications.

Cookies

Also known as web cookie, browser cookie, http cookie. Basically a cookie is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it is used to tell if two requests came from the same browser — keeping a user logged-in.

Cross-Origin Resource Sharing (CORS)

Cross-origin resource sharing (CORS) is a web security mechanism that can be used to lessen the restrictions enforced by the Same Origin Policy (SOP). The CORS mechanism allows web servers to specify via HTTP headers which origins are granted access to the resources they serve.

Cross-site request forgery (CSRF)

Cross-site request forgery (CSRF) is a web security vulnerability that occurs when the web application can’t verify whether a request from a user was intentionally sent by the user who submitted the request. An attacker can trick a victim user into making an unintentional request to the web server which will be treated as an authentic request. This allows the malicious attacker to perform unauthorized activities without the user’s knowledge.

Source:
https://cwe.mitre.org/data/definitions/352.html

Cross-site scripting (XSS)

Cross-site scripting (XSS) is a web security vulnerability that occurs when the web application dynamically generates a web page that contains untrusted user data. This data can contain malicious content (typically JavaScript or HTML) which is executed in the context of a victim user's browser when the victim visits the generated web page. XSS allows an attacker to circumvent the same origin policy inducing the victim user to execute arbitrary JavaScript code. The most common attack performed with XSS involves the disclosure of information stored in user cookies.

Source:
https://cwe.mitre.org/data/definitions/79.html

CVE Numbering Authority (CNA)

An organization responsible for the regular assignment of CVE IDs to vulnerabilities and for creating and publishing information about the Vulnerability in the associated CVE Record.

Cybersecurity and Infrastructure Security Agency (CISA)

An agency of the United States Department of Homeland Security responsible for strengthening cybersecurity and infrastructure protection.

Default configuration

The configuration as shipped. This can also be options used when no configuration is provided.

Denial of service

A system resource (e.g., website, application, server) is made partially or fully unavailable. The attacker can not obtain secrets or alter data, but can prevent other users from accessing the service/system.

Exploitable Vulnerabilities in the Wild

When an exploit is observed to be actively used to compromise systems.

Exploitation

A code or sequence of commands that takes advantage of a vulnerability to cause unintended behavior in a digital system. In software, this is a weakness or absence of a safeguard, resulting in an unplanned adverse outcome.

Exploit Prediction Scoring System (EPSS)

A community-driven effort to combine descriptive information about vulnerabilities (CVEs) with evidence of actual exploitation in the wild.

Finder

Commonly known as the reporter. These are upstream parties, researchers, and individuals who report a vulnerability to Red Hat. All finder data is aggregated and triaged by Product Security. Finders may also wish to keep vulnerability information embargoed with Red Hat and other vendors until a fix is available. In these circumstances, Red Hat coordinates the embargo and disclosure dates with the finder. Finders are recognized on our public CVE pages for valid flaws that are done in coordination with Red Hat.

Hardening

The process of securing a server or computer system by minimizing its attack surface, or surface of vulnerability, and potential attack vectors.

Heap-based buffer overflow

A type of buffer overflow where the buffer being overwritten is allocated on the heap. The heap is a memory region which is explicitly allocated by the programmer at runtime using a routine such as malloc(). A heap-based buffer overflow can lead to a denial of service or (in some cases) arbitrary code execution.

Source: https://cwe.mitre.org/data/definitions/122.html

HTTP request smuggling

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it. Typically, this vulnerability can allow the attacker to bypass security controls or gain unauthorized access to sensitive data.

Source:
https://cwe.mitre.org/data/definitions/444.html

Impact

The severity of damage that could be incurred. This might be financial, physical, reputational, or other.

Incident Response Plan(IRP)

This plan alerts key internal stakeholders and assists in directing the required resources to be allocated for the correction, testing, and distribution of the fixes to our subscribers to resolve the vulnerability.

Information disclosure

The vulnerable component exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Integer overflow or wraparound

The software performs an arithmetic operation and the result of such operation exceeds the maximum size of the integer type used to store it. An integer overflow can introduce other weaknesses (e.g., stack-based or heap-based buffer overflow) when the result of the calculation is used later on in the program.

Source: https://cwe.mitre.org/data/definitions/190.html

Local attacker

An attacker with the ability to execute code on the local system in any privilege level. The typical example is a local shell account. Users who can upload code that will be executed on the server, or who can gain Arbitrary Code Execution by exploiting another vulnerability, also may have this level of access.

Local attacker with access to console

An attacker with the ability to execute code on the local system in any privilege level and access to the physical system console.

Major Incident Orchestration

When a major incident is identified, Red Hat orchestrates efforts to provide a corporate response for addressing the issue and prioritizes remediating the vulnerability as quickly as possible.

Malicious server

An attacker-controlled server which can take advantage of victim clients.

Man-in-the-middle attacker

An attacker with the ability to secretly relay and possibly alter the communications between two parties who believe that they are directly communicating with each other. Such an attacker usually needs full control of a network device or firewall between the two parties.

Source:
https://en.wikipedia.org/wiki/Man-in-the-middle_attack

Memory leak

The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. It can lead to a denial of service.

Source:
https://cwe.mitre.org/data/definitions/401.html

Namespaces

Various kinds of namespaces (e.g. user namespace, network namespace) allow user processes to have an isolated view of global (shared) system resources.

Refer following for different namespace types available on Linux - https://man7.org/linux/man-pages/man7/namespaces.7.html

National Institute of Standards and Technology (NIST)

Promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

Not affected

The security issue does not exist in the source code and the product.

Notification and Assessment Coordination

Investigate security concerns, conduct a formal assessment of vulnerabilities, and provide guidance for the best possible solution.

NULL pointer dereference

The software dereferences (i.e., uses) a pointer that it expects to be valid, but is NULL. It typically leads to a denial of service (application crash).

Source: https://cwe.mitre.org/data/definitions/476.html

OAuth (Open Authorization)

An open standard authorization protocol that can allow users to access services and resources of web applications without sharing user credentials.

Out-of-bounds read

The software reads data past the end, or before the beginning, of the intended buffer. It can lead to information disclosure.

Source: https://cwe.mitre.org/data/definitions/125.html

Out-of-bounds write

The software writes data past the end, or before the beginning, of the intended buffer. It can lead to a denial of service or (in some cases) arbitrary code execution.

Source: https://cwe.mitre.org/data/definitions/787.html

Out of Scope

The affected product is affected but not eligible for a fix due to its life cycle stage.

Path traversal or Directory traversal

The vulnerable application uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory (e.g., /var/www) but the application does not properly neutralize special elements (such as ".." and "/" separators) within the pathname. This can cause the pathname to resolve to an unintended location that is outside of the restricted directory. An attacker may be able to traverse the file system and read or write the contents of arbitrary files, leading to a denial of service or (in some cases) arbitrary code execution.

Source:
https://cwe.mitre.org/data/definitions/22.html

Pentesting

Addresses application readiness for release to discover issues that cannot be fully addressed by testing tools in either static or dynamic testing environments.

Physical attacker

Attacker needs to have physical access (or physical access equivalent such as guest user able to add virtual hardware to the guest on the host level) to the system to either plug in a physical device or otherwise tamper with the system within close proximity.

Privilege escalation

The process of exploiting a bug, design flaw or configuration oversight in software to gain additional access to system resources that are otherwise unavailable.

Privileged guest user

A user inside the guest with additional permissions or properties above those granted on normal user creation. Usually a guest root user or an unprivileged guest user with sudo permissions.

Race condition

Race condition occurs when multiple processes/threads read and write to some shared data and they try to change it at the same time, possibly leading to memory or data corruption.

Red Hat Security Bulletin (RHSB)

A document that provides the most actionable information to help customers make appropriate risk-based decisions.

Red Hat Severity Rating

Rates the severity of security issues found in Red Hat products using a four-point scale (Low, Moderate, Important, and Critical). These scoring systems provide a prioritized risk assessment to help you understand and schedule upgrades to your systems, enabling informed decisions on each issue's risk in your unique environment.

Source:
https://access.redhat.com/security/updates/classification/

Regression

It's a bug introduced by a patch that undoes or invalidates previous vulnerability fixes.

Remote attacker

An attacker who can reach the vulnerable component from across the network. Depending how the service is configured and any firewalls in place, this might range from the local network only to the internet at large.

Remote code execution (RCE)

An arbitrary code execution by a remote attacker.

Role Based Access Control (RBAC)

A security paradigm about authorization privileges. RBAC mechanism generally has users and its associated roles which helps to restrict additional privileges of individuals to add efficiency in the system compliance.

RBAC is an access-control mechanism to manage user privileges and restrict access to authorized users. Roles are created within an organization, and users are assigned particular roles to perform certain operations. Access is granted based on roles of individual users.

Root privileged users

Users running with the effective user id 0, or with equivalent linux capabilities, such as CAP_SYS_ADMIN.

Same Origin Policy (SOP)

The same-origin policy is a web security mechanism that aims to prevent scripts loaded by different origins from interacting with each other. An origin consists of a URI scheme, domain and port number. For example, the SOP prevents JavaScript code running on a malicious website from accessing the Document Object Model (DOM) of a third-party legitimate web page.

Secure Boot

Mechanism used to verify the integrity of firmware and software running on a platform.

Secure Shell (SSH)

Network protocol that gives a secure way to access a remote system over an insecure network.

Security Architecture

Conducts security assessments and makes recommendations to reduce security exposure and risk to customers.

Security Development Lifecycle

Developed and used by Red Hat to guide building more robust security practices across the organization.

Security-Enhanced Linux (SELinux)

Security-Enhanced Linux (SELinux) is an implementation of mandatory access control (MAC) system in the Linux kernel, which allows users and administrators more control over access control.

Server-side request forgery (SSRF)

Server-side request forgery (SSRF) is a web security vulnerability that occurs when an attacker can induce the vulnerable application into sending a request to a certain URLs, possibly bypassing access controls such as firewalls that prevent the attacker from accessing the URLs directly. A SSRF attack can target internal systems or services behind a firewall that are not accessible from the external network. This can allow a malicious attacker to perform unauthorized activities on behalf of the vulnerable application.

Source:
https://cwe.mitre.org/data/definitions/918.html

Shell / OS / Command Injection

The vulnerable application constructs all or part of an OS command using externally-influenced user input (e.g., forms, cookies, HTTP headers, etc.) but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command. It can lead to remote code execution (RCE).

Source:
https://cwe.mitre.org/data/definitions/78.html

Single sign-on (SSO)

Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors.

Specially crafted input

Malicious input that is developed by an attacker, often by modifying benign data, to exploit a security vulnerability in an application or service which processes the input. The input is context-dependent and can take the form of a packet, frame, request, text file, etc.

SQL Injection

The software constructs all or part of an SQL command using externally-influenced user input, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command. A remote attacker may be able to retrieve confidential data from the database, modify or delete data. In some cases, it can lead to arbitrary code execution.

Source:
https://cwe.mitre.org/data/definitions/89.html

SSL/TLS

Security protocol designed to provide secure communications in a computer network.

Stack-based buffer overflow

A type of buffer overflow where the buffer being overwritten is allocated on the stack. The stack is a memory region which is automatically reserved by the system for storing local variables when a function is called. A stack-based buffer overflow can lead to a denial of service or (in some cases) arbitrary code execution.

Source: https://cwe.mitre.org/data/definitions/121.html

Symlink attack

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. An attacker may be able to traverse the file system and read or write the contents of arbitrary files. It can lead to a denial of service or (in some cases) arbitrary code execution.

Source:
https://cwe.mitre.org/data/definitions/59.html

Threat Modeling

Addresses problems in design and fixes attack surface issues prior to full development.

TOCTOU

TOCTOU is a type of race condition that occurs when the software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions (e.g., grant access to sensitive data) when the resource is in an unexpected state.

Source: https://cwe.mitre.org/data/definitions/367.html

Unauthenticated attacker

An attacker who did not have to perform an authentication step to perform intended actions.

Unprivileged guest user

A user with the standard permissions and properties granted on creation.

Use after free (UAF)

The software makes use of heap allocated memory after it has been freed. It can lead to a denial of service or (in some cases) arbitrary code execution.

Source:
https://cwe.mitre.org/data/definitions/416.html

User namespace

User namespaces isolate security-related identifiers and attributes such as user IDs and group IDs, the root directory, keyrings, and capabilities visible to a specific process and its subprocesses to allow privileged functionality while reducing attack vectors.

Vulnerability

A flaw that is exploitable.

Vulnerability Management

How Red Hat categorizes, addresses, and responds to security vulnerabilities.

XML External Entity (XXE)

XML External Entity (XXE) is a web security vulnerability that occurs when the vulnerable application processes an XML document containing XML entities that resolve to arbitrary local files or remote files, causing their content to be embedded into its output. It can lead to information disclosure or (in some cases) arbitrary code execution.

Source: https://cwe.mitre.org/data/definitions/611.html

Zero-Day Vulnerability

A vulnerability in a product or service that has been disclosed publicly but has not been remediated.