Suscríbase al feed

In a previous Red Hat article, VP of Red Hat Product Security, Vincent Danen, discussed the question "Do all vulnerabilities really matter?" He emphasized that "a  software vulnerability has the potential to be exploited by miscreants to harm its user." The key word here is "potential". If the potential for exploitation is high, or if an exploit for a vulnerability is already in use in the wild, then these vulnerabilities pose a greater risk and must be prioritized and addressed promptly.

Red Hat uses CISA as a source for known exploited vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) leads the US national effort to understand, manage, and reduce risk to their cyber and physical infrastructure. CISA maintains a Known Exploited Vulnerabilities (KEV) catalog, otherwise known as the CISA catalog.

In November 2021, CISA issued the binding operational directive CISA BOD 22-01. This directive requires that all US Government federal agencies (USG) identify and remediate all vulnerabilities listed in the CISA catalog in their information systems. Additionally, this catalog is available to the public so other non-USG customers can be aware of the listed exploited vulnerabilities and seek immediate remediations. The vulnerabilities listed have been observed to be exploited in the wild, presenting an elevated risk.

In response, Red Hat created a program to resolve vulnerabilities added to the KEV list as quickly as possible. This program helps Red Hat to continue strengthening our security posture across our software portfolio while maintaining our reputation as a trustworthy partner.

How well did Red Hat remediate exploited in the wild vulnerabilities?

As described in CISA BOD-22-01, CISA has three main criteria for adding vulnerabilities to the KEV:

  1. A Common Vulnerabilities and Exposures (CVE) ID
  2. Clear remediation guidance
  3. Reliable evidence of exploitation in the wild

In 2023, the CISA catalog included 20 CVEs that impacted Red Hat products.  The following table displays the breakdown by severity. 

Severity rating

Total Red Hat  Flaw counts

In the wild exploitation

In the wild exploitation as a percentage of total flaw counts

All

1644

20

1.2%

Critical

12

1

5.3%

Important

336

15

4.5%

Moderate

1047

3

0.3%

Low

247

1

0.4%

The amount of vulnerabilities exploited in the wild was fairly low,  accounting for 1.2% of the total flaws that impacted Red Hat in 2023. Once Red Hat is notified that a CVE is  added to the CISA catalog, Red Hat provides a fix for the vulnerability within an average of 10 calendar days (notably faster than the 21 calendar days that CISA gives for the vulnerability to be resolved).

It is also important to note that Red Hat has released errata for approximately 24% of these Exploit CVEs before they were added to the CISA catalog. 

How many of Red Hat’s KEV CVEs had errata published before KEV addition?

More than half of the exploited in the wild vulnerabilities pertain to the WebKitGTK package. WebKit is one of the three big web rendering engines. The exploit primarily targets iOS users and sometimes macOS users, as well as any software using the JavaScript Just in Time (JIT) compiler. To better enhance the security of Red Hat software,  Red Hat has disabled the JavaScript JIT mechanism in the 8.8 z-stream and 9.2 z-stream RHEL releases. This action is expected to cut down on the volume of WebKit vulnerabilities by half going forward. 

Security awareness

Red Hat Product Security's awareness and visibility into reported exploited vulnerabilities enable us to proactively address rising threats and fix vulnerabilities that truly matter. These actions allow Red Hat to remain a trusted vendor and partner to our customers. At Red Hat, openness and transparency are embedded in our culture. This culture of transparency influences our customer interactions and allows us to be a trusted partner. Sharing pertinent information makes our community well-informed and well-versed, especially when it comes to security. 


Sobre los autores

Leonardo Firicano joined Red Hat in 2021 as a Business Analyst for Product Security. Leo brings his experience and skills to Product Security, having held previous roles as a technical business analyst, a project analyst, and a data analyst within the finance industry. Leo holds a bachelor’s degree in Finance and Information Systems from Suffolk University and an MBA from Northeastern University.

Read full bio

Marco Benatto is a Senior Product Security Engineer at Red Hat and experienced Linux developer who has worked with several userspace applications and is currently focused on kernel-space and filesystems, with a background in memory management.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Navegar por canal

automation icon

Automatización

Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos

AI icon

Inteligencia artificial

Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar

open hybrid cloud icon

Nube híbrida abierta

Vea como construimos un futuro flexible con la nube híbrida

security icon

Seguridad

Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías

edge icon

Edge computing

Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge

Infrastructure icon

Infraestructura

Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo

application development icon

Aplicaciones

Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones

Original series icon

Programas originales

Vea historias divertidas de creadores y líderes en tecnología empresarial