What can be said about 2020 that hasn’t been said already? It definitely was a year where things happened and there certainly were several of those things that involved security. Looking across the vulnerability landscape, we see that more than 176,447 CVEs were reported.
Within the Red Hat portfolio, we identified 2,040 unique CVEs that impacted components we supply and support. This was far-and-away the highest volume of CVEs we’ve fixed in any calendar year on record. This translates to a significant amount of work an operator or administrator needs to do in order to keep their systems running at peak patch levels.
We understand that most enterprises do not run exclusively on Red Hat products and services, and for someone that is responsible for a heterogeneous environment that has a melange of technologies to keep updated, it can seem like a Herculean task.
This is why we issue Red Hat Severity Scores with each vulnerability, along with our CVSS scoring and CWE analysis. Every security issue has some level of importance to deal with, but some issues have higher likelihoods of being exploited or have higher consequences if they were.
It is interesting to note that over the years we’ve actively tracked and reported on issues impacting our software to see the change in distribution of the severity of issues. The volume of Critical and Important issues that we consistently address across the whole portfolio have remained generally flat, with a slight uptick in 2020, but are nowhere near “record levels.” Red Hat Engineering addressed Critical issues across the portfolio with great speed. In 2020, 31% of CVEs that we rated as Critical were addressed and had patches for consumers within one business day. A total of 89% had fixes within one week and a full 100% were addressed within one month of public disclosure.
Overall, the volume of issues we patched was 1.5 times higher than we had in 2019, with the average and median delivery times being down. This translates to faster availability of security updates.
The volume of Moderate security flaws that were fixed in 2020 alone was more than all the vulnerabilities Red Hat fixed back in 2011, 2012, 2013, and 2014 (plus we fixed 460 Low severity issues as icing on that cake). This was a 3x increase in volume across the board since 2011...what do the next nine years hold? Only time will tell.
Reducing security risks requires effective management programs
As systems get more complex, the key to reducing your risks associated with them is to have effective patch and vulnerability management programs in effect and to minimize the attack surface if you present a malicious or curious actor.
It is worth noting that when default security features are disabled (like turning SELinux off for example, which if you did would make Dan Walsh cry), the risk profile of that system is drastically altered, opening up the potential for additional security risks and impacts. Good security hygiene, timely patch management, and appropriate access controls and logging can go a very long way preventing the next terrible media headline from impacting you.
We hope you’ve enjoyed this series of blogs around our 2020 Product Security Risk Report. Each of these articles has expanded upon a concept covered within the report, so if you liked the blogs, please read the full report to learn more.
Sobre el autor
Christopher Robinson, better known as CRob to his colleagues, is a former Product Security Program Architect at Red Hat.
Navegar por canal
Automatización
Conozca lo último en la plataforma de automatización que abarca tecnología, equipos y entornos
Inteligencia artificial
Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar
Servicios de nube
Conozca más sobre nuestra cartera de servicios gestionados en la nube
Seguridad
Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías
Edge computing
Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge
Infraestructura
Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo
Aplicaciones
Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones
Programas originales
Vea historias divertidas de creadores y líderes en tecnología empresarial
Productos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servicios de nube
- Ver todos los productos
Herramientas
- Training y Certificación
- Mi cuenta
- Recursos para desarrolladores
- Soporte al cliente
- Calculador de valor Red Hat
- Red Hat Ecosystem Catalog
- Busque un partner
Realice pruebas, compras y ventas
Comunicarse
- Comuníquese con la oficina de ventas
- Comuníquese con el servicio al cliente
- Comuníquese con Red Hat Training
- Redes sociales
Acerca de Red Hat
Somos el proveedor líder a nivel mundial de soluciones empresariales de código abierto, incluyendo Linux, cloud, contenedores y Kubernetes. Ofrecemos soluciones reforzadas, las cuales permiten que las empresas trabajen en distintas plataformas y entornos con facilidad, desde el centro de datos principal hasta el extremo de la red.
Seleccionar idioma
Red Hat legal and privacy links
- Acerca de Red Hat
- Oportunidades de empleo
- Eventos
- Sedes
- Póngase en contacto con Red Hat
- Blog de Red Hat
- Diversidad, igualdad e inclusión
- Cool Stuff Store
- Red Hat Summit