Abonnez-vous au flux

In a previous blog post, we mentioned the ongoing work to overhaul our CVE pages and we are happy to announce those changes are now live. If you navigate to any CVE from our Red Hat CVE Database or an external source like a search engine, you'll be presented with the new user interface that displays important information and metadata about a specific CVE that is relevant to Red Hat's products.

Is my product affected?

We've combined the information about affected products, affected packages, and released errata into a single master table that can you can filter and order, presenting a much cleaner look and feel than the previous version. The individual rows in the table may also show product and package-specific impacts and CVSS scores where applicable.

For example, CVE-2019-10161 that affected the "libvirt" package in various versions of Red Hat Enterprise Linux had an overall impact of Important with a CVSS v3 score of 8.8. For Red Hat Enterprise Linux 6 however, because the impact of this vulnerability was limited to a denial of service, the security impact was lowered to Moderate with a CVSS v3 score of 7.3. Browsing to the "score details" also allows you to see a more detailed breakdown of the CVSS score specific to that product and package to the overall vulnerability CVSS score.

When a product reaches a particular support phase, fixing vulnerabilities of a certain impact may no longer be supported. These products are shown with a state of "Out of support scope" and will include a link to their lifecycle document, which covers the product's entire support schedule and the conditions for each support phase.

Why is Red Hat's CVSS score different?

Our Understanding Red Hat security ratings page explains how Red Hat classifies vulnerabilities by impact, how we use CVSS to rate vulnerabilities, and why our CVSS scores may differ from those displayed in the NIST National Vulnerability Database (NVD). For every CVE, we now show a side-by-side breakdown of Red Hat's CVSS score and the CVSS score present in NVD. When the scores differ by a large margin, a comment may be shown explaining why that is. See CVE-2019-7609 as an example.

What does "Will not fix" mean?

At the bottom of every CVE page you will find an FAQ section that answers some common questions that we get asked frequently, such as what it means that a product is marked as "Will not fix". The FAQ section may be expanded in the future to cover CVE-specific questions and answers, and more content may be included as we identify common problems with understanding our security data.

What Else?

A number of small improvements that contribute to the overall cleaner look were also made. If a CVE has an existing Vulnerability Response article, it will be linked under the CVE's description. Each CWE is now expanded to provide a textual description of the CWE or a combination of CWEs that classify this CVE. For example, CVE-2019-11477 had a CWE-190->CWE-400 combination of CWEs, which translates to an Integer Overflow or Wraparound leading to Uncontrolled Resource Consumption.

Red Hat is committed to providing the best security data for our products to the general public. If you have any questions or comments about the new CVE page look or any of the information displayed, please send an email to secalert@redhat.com.

Martin Prpic is a senior software engineer at Red Hat.

À propos de l'auteur


Parcourir par canal

automation icon


Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements

AI icon

Intelligence artificielle

Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement

open hybrid cloud icon

Cloud hybride ouvert

Découvrez comment créer un avenir flexible grâce au cloud hybride

security icon


Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies

edge icon

Edge computing

Actualité sur les plateformes qui simplifient les opérations en périphérie

Infrastructure icon


Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde

application development icon


À l’intérieur de nos solutions aux défis d’application les plus difficiles

Original series icon

Programmes originaux

Histoires passionnantes de créateurs et de leaders de technologies d'entreprise