Account Links: Cart | Register | Log In

Skip to content

Classification of Security Issues

Red Hat Security Response Team, January 2005

This page describes the scheme used to classify the impact of security issues found in Red Hat products, providing a simple way to judge the severity of security updates and to see which issues matter the most. Providing a prioritized risk assessment helps customers to understand and better schedule upgrades to their systems, being able to make an more informed decision on the risk that each issue places on their unique environment.

Red Hat rates the impact of individual vulnerabilities on a four point scale designed to be an at-a-glance guide to how worried Red Hat is about each security issue. The scale takes into account the potential risk of a flaw based on a technical analysis of the exact flaw and it's type, but not the current threat level. Therefore the rating given to an issue will not change if an exploit or worm is later released for a flaw, or if one is available before release of a fix.

Level Description
Critical Impact This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user, or an unlikely configuration would not be classed as critical impact.
Important Impact This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow local or remote users to easily cause a denial of service.
Moderate Impact This rating is given to flaws that may be harder or more unlikely to be exploitable but given the right circumstances could still lead to some compromise of the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that could have had a critical impact or important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.
Low Impact This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to be require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.

A Red Hat security advisory can contain fixes for more than one vulnerability and can contain packages for more than one affected distribution. For each individual vulnerability in an advisory the Red Hat Security Response Team will determine the impact rating for each distribution. The overall severity of an advisory is then taken as the highest severity of all the individual issues across all the distributions. For simplicity, the security advisories will show only the overall severity and not list the impact ratings for each issue individually. Instead, each advisory already contains links to relevant tickets in Red Hat's bug tracking system where the individual impacts as well as any additional commentary is given.

When a technology--enabled and most likely used by default-- completely blocks the exploitation of a particular vulnerability across all architectures, we will adjust the severity impact classification level. When a technology reduces the risk of a security issue, we may adjust the severity impact level and give an explanation of the the decision in the tracking bug entry.

More Info