In a previous blog post, we mentioned the ongoing work to overhaul our CVE pages and we are happy to announce those changes are now live. If you navigate to any CVE from our Red Hat CVE Database or an external source like a search engine, you'll be presented with the new user interface that displays important information and metadata about a specific CVE that is relevant to Red Hat's products.
Is my product affected?
We've combined the information about affected products, affected packages, and released errata into a single master table that can you can filter and order, presenting a much cleaner look and feel than the previous version. The individual rows in the table may also show product and package-specific impacts and CVSS scores where applicable.
For example, CVE-2019-10161 that affected the "libvirt" package in various versions of Red Hat Enterprise Linux had an overall impact of Important with a CVSS v3 score of 8.8. For Red Hat Enterprise Linux 6 however, because the impact of this vulnerability was limited to a denial of service, the security impact was lowered to Moderate with a CVSS v3 score of 7.3. Browsing to the "score details" also allows you to see a more detailed breakdown of the CVSS score specific to that product and package to the overall vulnerability CVSS score.
When a product reaches a particular support phase, fixing vulnerabilities of a certain impact may no longer be supported. These products are shown with a state of "Out of support scope" and will include a link to their lifecycle document, which covers the product's entire support schedule and the conditions for each support phase.
Why is Red Hat's CVSS score different?
Our Understanding Red Hat security ratings page explains how Red Hat classifies vulnerabilities by impact, how we use CVSS to rate vulnerabilities, and why our CVSS scores may differ from those displayed in the NIST National Vulnerability Database (NVD). For every CVE, we now show a side-by-side breakdown of Red Hat's CVSS score and the CVSS score present in NVD. When the scores differ by a large margin, a comment may be shown explaining why that is. See CVE-2019-7609 as an example.
What does "Will not fix" mean?
At the bottom of every CVE page you will find an FAQ section that answers some common questions that we get asked frequently, such as what it means that a product is marked as "Will not fix". The FAQ section may be expanded in the future to cover CVE-specific questions and answers, and more content may be included as we identify common problems with understanding our security data.
What Else?
A number of small improvements that contribute to the overall cleaner look were also made. If a CVE has an existing Vulnerability Response article, it will be linked under the CVE's description. Each CWE is now expanded to provide a textual description of the CWE or a combination of CWEs that classify this CVE. For example, CVE-2019-11477 had a CWE-190->CWE-400 combination of CWEs, which translates to an Integer Overflow or Wraparound leading to Uncontrolled Resource Consumption.
Red Hat is committed to providing the best security data for our products to the general public. If you have any questions or comments about the new CVE page look or any of the information displayed, please send an email to secalert@redhat.com.
Martin Prpic is a senior software engineer at Red Hat.
About the author
More like this
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit