Maintaining and managing the security exposure of your infrastructure can often be an uphill battle. However, Red Hat Insights makes it much easier to do so if your Red Hat Enterprise Linux servers are registered with Insights.
The Insights Vulnerability service allows users to assess, triage, prioritize and remediate the most critical vulnerabilities affecting their servers with the built-in threat intelligence and the integration to Red Hat Ansible Automation Platform. Over the course of the last few years, the Vulnerability service has been enhanced to continue to provide users with tremendous value.
Red Hat Insights is a software-as-a-service (SaaS) offering, included with every Red Hat Enterprise Linux (RHEL) subscription. It continuously analyzes platforms and applications to help you manage your hybrid cloud environment and uses predictive analytics and deep domain expertise to reduce the time required to perform complex operational tasks from hours to minutes. This includes identifying security and performance risks, tracking subscription utilization and managing costs.
You can now view CVEs that do not have errata
Up until this point, the Insights Vulnerability service has only given users the ability to address and assess Common Vulnerabilities and Exposures (CVEs) that come with a Red Hat provided fix through errata or advisories, or those carrying the Security Rule label. However, an exciting new feature has been added with our latest feature release, expanding the scope of this service. Users can now engage with and evaluate CVEs that currently lack associated errata from Red Hat.
Let's look at the underlying reasons why certain CVEs might not yet have corresponding errata, or why there may be availability of errata in some versions of RHEL for a given CVE but not others:
- Ongoing investigation and potential future fixes: The absence of an errata could stem from ongoing investigations by Red Hat into the specific CVE. There remains a possibility that a fix will be developed and provided in due course.
- Risk evaluation and business justification: Red Hat may decide against delivering errata on a particular CVE due to an assessment of limited potential impact. As articulated by Red Hat's Vice President of Product Security, Vincent Danen, “most vulnerabilities have minimal opportunity to cause harm.” Business-wise, addressing each and every vulnerability as equally urgent may prove to be impractical and cost-prohibitive on a large scale.
- End of support for vulnerable systems: Instances where a vulnerable system or operating system (OS) version is no longer supported could lead to a lack of corresponding fixes. We highly recommend you move to a newer version that is under support or adopt alternative protective measures.
- Deferred fixes with varied reasons: Fixes for certain CVEs might be deferred for a variety of reasons, which could range from technical complexities to strategic considerations.
Considering the intricate interplay of these factors within the realm of CVEs and different RHEL versions, it's important to recognize that any combination of these circumstances could be contributing to the current landscape. Notwithstanding these complexities, we firmly believe that understanding the extent of your organization's exposure to CVEs, whether they have associated errata or not, remains a pivotal facet of proactive decision-making. This expanded feature gives you the data you need to make informed decisions and prioritize where you need to focus for your organization.
What are my options for dealing with CVEs without any errata?
Now that you have visibility into CVEs without associated errata or advisories, how should you approach this information? This calls for making well-informed decisions while carefully weighing trade-offs. It's crucial to grasp that the enhanced Insights Vulnerability service now highlights exposure levels that were previously concealed from view. In essence, your vulnerability status remains unchanged, but your awareness of these vulnerabilities has increased. To navigate this scenario, several options are available:
- Acknowledge and embrace risk: Operationally, the Vulnerability service presents a "Status" attribute, allowing users to designate CVEs as "No action - risk accepted." This facilitates tracking and allows you to filter out such vulnerabilities from your immediate view while acknowledging the inherent risk.
- Focus on high risk issues first: Balancing the issues that need attention with the resources available to deal with them is often a challenge. This new feature allows you to get a full understanding of your risk and put CVEs with a higher priority on the fast track designating lower-priority issues as “On Hold” via the status field. The use of this status allows you to keep track of the fact that you have reviewed the CVE and consciously decided to put it on the back burner until you are ready to pick it up.
- Implement custom mitigations: Where feasible, you can apply your own mitigations. You can track this by assigning a "Resolved via mitigation" status, signifying that you've taken proactive steps to address the potential risk.
- Upgrade your OS: If your operating system is no longer supported, a strategic response could involve upgrading to a more recent version. This proactive measure can contribute to reducing exposure to an array of different vulnerabilities.
- Monitor Red Hat's investigation: You can maintain vigilance by periodically checking the Red Hat customer portal for updates on CVEs that are currently under investigation. This ongoing awareness helps you track the evolving landscape of vulnerabilities.
Our primary objective is to provide you with a comprehensive view of your potential risk exposure. This data gives you greater agency in determining the course of action best suited to safeguarding your organization's interests.
Here are a few highlights of this new Insights feature:
First, this feature will be enabled by default, but the CVEs that do not have any errata/advisories will be hidden from your primary view. This is to allow you to focus on the critical CVEs at hand. To view CVEs without errata, users can easily apply the appropriate filter in the table within the CVE list view. This filter is also available on the CVE details page where the list of systems appear for a specific CVE.
Figure 1. Users can filter by the Advisory field to view CVEs that do not have errata
Second, users will be able to fully disable this feature, which will hide all the CVEs without errata from being displayed in the Vulnerability service and remove filters/options from the respective screens. The feature can be enabled or disabled directly within the Vulnerability service from the CVE list view page as shown in Figure 2.
Figure 2. Users can enable/disable the functionality of showing/hiding CVEs without any fixes
The expanded Red Hat Insights Vulnerability service will help you better understand the vulnerabilities impacting your infrastructure.
About the author
Mohit Goyal is a Senior Principal Product Manager for Red Hat Insights. Mohit brings a wealth of experience and skills in enterprise software having held roles as a software engineer, project manager, and as a product manager across software and travel industries. Goyal has a bachelor's degree in Computer Science from the Institute of Technology, University of Minnesota and a MBA from the Carlson School of Management, University of Minnesota. With his technical skills and business acumen, he helps build products to address problems faced by enterprises, with a focus on security, user experience, and cloud computing. When he's not writing user requirements, engaging with customers, or building product roadmaps, Mohit can be found running, cooking, or reading.