ProductsDesktop Server Red Hat Enterprise Linux OpenStack Platform For IBM POWER For IBM System z For SAP Business Applications Red Hat Satellite Management For Scientific ComputingExtended Update Support High Availability High Performance Network Load Balancer Resilient Storage Scalable File System Smart Management Extended Lifecycle SupportAccelerate Automate Integrate Red Hat JBoss Developer Studio Portfolio Edition Web Framework Kit Application Platform Web Server Data Grid Portal Fuse Red Hat JBoss A-MQ SOA Platform BRMS Data Services Platform JBoss Operations Network JBoss Community or JBoss enterprise
SolutionsWhy Red Hat Why open hybrid cloud? The new IT Public cloud Cloud resource library Private cloud Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Cloud applications and workloadsSolaris to Red Hat Enterprise Linux Migration overview Migrate from your UNIX platform How to migrate to Red Hat Enterprise Linux Upgrade to the latest Red Hat Enterprise Linux release JBoss Enterprise Middleware Benefits of migrating to Red Hat Enterprise Linux Migration services Start a conversation with Red Hat
TrainingClassroom training Red Hat Online Learning Virtual training Remote classroom training On-site team training Online Learning LabsPopular and new courses Red Hat JBoss Administration curriculum Core System Administration curriculum Red Hat JBoss Middleware Development curriculum Advanced System Administration curriculum Linux Development curriculum Cloud Computing, Virtualization, and Storage curriculum
ConsultingSOA and integration Business process management Cloud and Virtualization Custom Software Development Enterprise Data and Storage Systems management Migrations
Does Red Hat support Common Vulnerability Scoring System (CVSS)?
Yes. Red Hat has been involved in CVSS for several years. Learn more about Red Hat and CVSS.
Where can I go to find more information about CVE?
Refer to the CVE website for information about the CVE project, naming, and various processes.
Who else uses CVE names?
Many organizations use CVE names as part of their security services. More details can be found on the CVE website. In January 2002, the National Institute of Standards and Technology (NIST) issued a draft recommendation that government organizations adopt CVE standard solutions throughout their security infrastructure.
We hope our commitment to the CVE project will encourage other open source vendors to become more actively engaged in this initiative.
What is the difference between a CVE entry and a candidate?
CVE candidates are those vulnerabilities or exposures under consideration for acceptance into CVE. Prior to the 19th October 2005, candidates were assigned names with the CAN- prefix to distinguish them from official CVE entries. The CAN- prefix was no longer used after October 19, 2005, although it may be referenced in older Red Hat publications and advisories.
A CVE name is an encoding of the year the name was assigned, and a unique number, N, for the Nth number of names assigned that year. For example, CVE-2002-0067 was assigned a unique number in 2002 and was the 67th name assigned that year.
Why does the CVE website tell me a name you referenced is not found?
In many cases, the security issues our advisories address are not public knowledge prior to an advisory being released, and as such, do not already have assigned CVE names. For these situations, we work with MITRE to reserve the CVE names we need in advance; however, it can then take a short period of time for the CVE names to appear on the CVE website once the issues become public.
Which Red Hat services use CVE names?
We have added CVE names to all Red Hat Security Advisories (RHSA) released since November 2001. These are found on our website, email notifications sent to our security mailing lists, and also on the Red Hat Network.
Red Hat has audited all security advisories since January 2000 and assigned or created CVE entries where appropriate. Use the per CVE pages to find out information about a given CVE name.
What is Red Hat doing with the CVE project?
We believe that giving our users accurate and complete information about security issues is extremely important. By including CVE names when we discuss security issues in our services and products, we can help users cross-reference vulnerabilities so they spend less time investigating and categorizing security events.
Red Hat has a representative on the CVE Editorial Board and declared CVE compatibility in April 2002.
What is the CVE project?
The Common Vulnerabilities and Exposures (CVE) project, maintained by The MITRE Corporation, is a list of standardized names for vulnerabilities and security exposures. Learn more.
What is the OVAL project?
The Open Vulnerability and Assessment Language (OVAL) project, maintained by The MITRE Corporation, is an international, information security effort that promotes open and publicly available security content, and seeks to standardize the transfer of this information across the entire spectrum of security tools and services. Learn more.