Vulnerabilities in software are a global concern, and open source software is no different from proprietary software in this regard. Any software vulnerability has the potential to be exploited by miscreants to harm its user. Whether this is on-premises, in the cloud, or on your mobile device, vulnerabilities in software make headlines (for good reason).
There is tension, however, between software producers and software users. On the surface, any vulnerability is scary due to the potential for harm. Yet, the reality is that most vulnerabilities have minimal opportunity to cause harm, whether due to the type of vulnerability itself, the type of authorization required to execute it, the vulnerability’s level of exposure in typical use of the software, and many other factors. This variability means a vulnerability in a particular component used in different products could result in different severities in those products. All software vulnerabilities are not created equal, and there is a substantial body of work to support this assertion.
For instance, Red Hat produces an annual Product Security Risk Report highlighting the number of vulnerabilities found and fixed in Red Hat products. The 2021 Product Security Risk Report identified 1596 vulnerabilities affecting the Red Hat product portfolio. At the time the report was released, only 26 of those vulnerabilities were identified as being actively exploited, according to the Cybersecurity and Infrastructure Security Agency (CISA). While this is just one source of data, this widely utilized source provides insight into observed exploitation at scale. Incidentally, the vast majority of exploited vulnerabilities in CISA’s catalog are in proprietary software.
And most security breaches against entities are not due to software exploitation. The 2022 Verizon Data Breach Investigations Report noted that only 7% of breaches were due to software exploitation. The vast majority were due to credential theft and phishing attacks; as they note, 82% of breaches were due to the “human element” and not software. The data isn’t there, but one must wonder what percentage of that 7% was in software with an available patch that hadn’t been applied?
We will release the 2022 Product Security Risk Report early next year, but thus far, the indicators are primarily the same. Most breaches are not due to software vulnerabilities, and most software vulnerabilities are not exploited.
To be crystal clear: there are vulnerabilities that must be fixed. And they need to be fixed in a reasonable amount of time to enable end-users to apply mitigations to avoid potential exposure. However, given the number of vulnerabilities discovered annually, remediating every single one is a daunting task for anyone, whether a vendor, an upstream community, or a downstream consumer. This is why no vendor fixes every known vulnerability as an immediate priority. From a scaling perspective, it’s prohibitively expensive. There is an adage: if everything is important, then nothing is. This is especially true when it comes to risk management.
From an innovation perspective, it means resources that could be advancing technology are used to correct vulnerabilities that will likely never be a cause for concern. The promise of open source is innovation, which is what most open source communities and commercial providers seek to provide. So, time spent fixing issues that introduce little risk versus creating new and innovative solutions is an interesting dilemma.
Red Hat is no different. Our customers engage with us for digital transformation and speed of innovation, using our technologies to help them with solutions that create ever greater value for their customers. This is why we defined robust product life cycles that clearly indicate what Red Hat will and will not fix in terms of security vulnerabilities.
We know that, statistically speaking, Critical vulnerabilities are those most likely to be exploited and those most likely to cause significant harm if successfully exploited. At all points in the product life cycle, we fix Critical vulnerabilities as quickly as possible. In 2019, we extended this to all Important-rated vulnerabilities across the product life cycle. These are vulnerabilities that, while not as damaging as those rated Critical, could still cause significant harm if exploited. To put it in perspective, in 2021, of the 10 Critical CVEs affecting the Red Hat portfolio, only one was on CISA’s list of known exploited issues (or 10%), and of the 283 Important CVEs, only seven were on CISA’s list (or 2.5%). Even here, we see that the observed active exploitation is low. Still, because it’s difficult to determine which ones will end up being actively exploited, from a proactive and protective perspective, we fix them all.
While fixing Moderate and Low severity issues are not part of the published product life cycle, they may be fixed when other non-security fixes are published. This reduces the burden of testing by the end user – after all, most enterprise customers test fixes before deploying in production—a cost borne by the end user for every update. When this becomes too expensive, these updates simply won’t be applied in a timely fashion. We want our updates to be applied as quickly as possible!
As we monitor vulnerability exploitation, our commitment is to correcting risky vulnerabilities. Red Hat aims to promote effective risk management, and we will fix all actively exploited vulnerabilities, irrespective of severity.
It’s simple economics. A Moderate vulnerability being exploited still only provides a certain level of exposure, typically less than a Critical or Important vulnerability, or requires a significant amount of effort to be successful. Consider this example. In 2021, there were 1060 identified Moderate vulnerabilities, of which only 18 (or 1.7%) were identified as being actively exploited, and Red Hat responded as quickly as possible to these issues when observed. Developing fixes for all 1060 vulnerabilities, when only 18 were impactful, is a significant undertaking; each one must be created and tested by the vendor and further tested and deployed by the consumer. That isn’t cost-effective or risk-appropriate for either party.
When updating any software, there are costs in time and resources, as well as risks to interoperability and security. We employ risk mitigation strategies for those updates by focusing on providing updates for what, based on the information available, truly matters. Software updates are typically produced through backporting. This reduces the number of code changes needed to fix the issue and minimizes the introduction of new, currently unknown vulnerabilities that may become present in later versions.
We aim to take a pragmatic, trusted and resilient approach to vulnerability management in our products. Moreover, our approach reflects the true value of open source – the collaborative and speedy approach to innovation and value creation.
If you want more details on how Red Hat handles vulnerabilities and our methodology, read our recently-updated whitepaper: An Open Approach to Vulnerability Management.
À propos de l'auteur
Vincent Danen lives in Canada and is the Vice President of Product Security at Red Hat. He joined Red Hat in 2009 and has been working in the security field, specifically around Linux, operating security and vulnerability management, for over 20 years.
Contenu similaire
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit