Red Hat Product Security had a busy year, like many of you most likely did, in 2019. As each year closes we take time to reflect upon all of “the security” we and our subscribers got to interact with throughout the calendar year. We put our findings into the Red Hat Product Security Risk Report and we’re proud to give you readers a quick summary of what we saw and what we did.

The Risk Report catalogues the vulnerabilities that were discovered and patched throughout the Red Hat product portfolio. We provide context to the CVEs that we felt could have the most impact from a real-world risk perspective, as well provide a filter to the fear, uncertainty and doubt that is sometimes sown around high profile vulnerabilities, which in turn introduces additional challenges to your operations.

Created in 2001, the Red Hat Product Security team has more than 19 years of direct experience in managing vulnerabilities and security within open source communities, and we provide our readers with calm advice through our advisories and through artifacts like the Risk Report. Without further delay, let’s get a brief summary of what happened in 2019:

2019 by the numbers

Overall, Red Hat Product Security reviewed 2,714 security flaw reports, continuing a slight downward trend of reports. 2017 was a banner year, marking the most reported issues to the team peaking at 3,034. This number includes all possible problems we learn about. As you’ll see in a moment, not all of those problems get to become CVEs for our offerings. 

Sometime we’ll see reports for other vendors, we’ll get reports that don’t have a security impact, and other times (and most frequently) we’ll see a report for an open source project that might be included in a branded Red Hat product, but ultimately is determined to not affect us (due to our development and build practices, or our backporting methodologies). The hard-working women and men of our incoming team are the first responders here, doing the tough work of sorting the vulnerabilities that impact Red Hat products from those that do not. My fedora is off to them.

Working with our partners through Red Hat’s Product Engineering organization, 1,313 CVEs were addressed across our product and services portfolio. This is a slight increase from previous years, but smaller than our busiest year of bug fixing, 2017, where 1,342 were addressed. So, on average, just more than 100 things were addressed every month from our perspective.

Where the rubber meets the road

Where the rubber meets the road, so to speak, are the Red Hat Security Advisories (RHSA) that are issued and ultimately applied to a system, be it physical, virtual, or container. We released 968 RHSAs, which is a three-fold increase from 2011. This speaks to the diversity and complexity of the portfolio of 2019. System administrators have their work cut out for them, no matter what types of systems they manage, which is part of the reason one might note the difference in number of CVEs fixed versus the number of issued security advisories. As time, content, and opportunity allows, we’ll bundle multiple CVE updates into a single RHSA (but then issue separate RHSAs based off of product and version) to try and help ease that administrative burden of getting downtime windows for maintenance. Obviously, as an awesome enterprise vendor, we do have solutions that can help with that (cough, cough, Insights, cough cough, Ansible, cough Satellite… just sayin’).

The Risk Report covers these topics and many other more in-depth topics than this short missive does, but to speak to the highlights, here’s the year at a glance:

  • 2,714 security issues were reported to Red Hat Product Security (slightly down from 2018)

  • 1,313 CVEs were addressed throughout 2019, a 3.2% increase from 2018

  • 968 Red Hat Security Advisories were issued, a record increase over previous years

  • 40 Critical advisories addressing 27 Critical vulnerabilities

  • 41% of Critical issues were addressed within 1 business day

  • 85% of Critical issues were addressed within 1 week

Hopefully this stoked the fires of curiosity in you to read more about all of the amazing work Red Hat does to protect our subscribers. To learn more about the trends we saw and the security flaws that made an impact in 2019 please read the full report. Stay secure out there!

About the author

Christopher Robinson, better known as CRob to his colleagues, is a former Product Security Program Architect at Red Hat.

Read full bio