Gathering security data using the Red Hat Security Data API

In this post:

• We provide real-world scenarios to walk you through how to find the fix status on a CVE, the impact on your Red Hat product and more.

Red Hat Product Security is committed to providing tools and security data to help you better understand security threats. This data has been available on our Security Data page and is also available in a machine-consumable format with the Security Data API. By exposing a list of endpoints to query security data, this tool allows you to programmatically query the API for data that was previously exposed only through files on our Security Data page. To understand how we share our security data, take a look at this post.

This post will cover how the Security Data API can be used to address real-world security use cases and concerns programmatically.

These selected use cases are based on questions which were sent to the Red Hat Product Security team in recent months. Each of these examples can be easily modified to address your own needs.

Use cases

I heard about an interesting CVE. Are any of my Red Hat products affected by this CVE? If yes, what is the fix status?

You can see this information (products affected, fix status) on the Red Hat CVE Database page. Now, using the Security Data API, let’s extract the information in a machine readable format. As an example, let’s choose some recent CVEs that were classified as Important or Critical. 

Let’s look at CVE-2021-23358, for example.

To gather Red Hat-published information for this particular CVE, we can use Security Data API and this query:

curl -s https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23358.json 

By default, the output is in json format. You may also add extension .json to force it, or specify the alternative format .xml.
The fix status of the products are stored in two different fields in the CVE metadata:

• package_state[] - This contains information about products and potentially affected packages not yet fixed, with the fix state of: “Affected”, “Not affected”, “Will not fix”, “Under investigation” or “Out of support scope”.

• Affected_release[] - This contains information about products and packages for which a security fix has been already delivered via Red Hat errata.

This means that to list all Red Hat products and fix states, we need to combine “fix_state” from package_state (unfixed packages), and “advisory” from affected_release (fixed patches). We can use the jq command-line JSON processor to select only information which is important for us.

A query like the below will show the necessary information (intentionally for products where advisories have been already shipped the state is shown as Fixed):

curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23358.json" | 
jq -rc '(try .package_state[] | [ .product_name, .fix_state, "-" ]), (try .affected_release[] | 
[ .product_name, "Fixed", .advisory ])'

["Red Hat Ceph Storage 3","Affected","-"]
["Red Hat Ceph Storage 4","Affected","-"]
["Red Hat Enterprise Linux 7","Will not fix","-"]
["Red Hat Enterprise Linux 8","Will not fix","-"]
["Red Hat OpenShift Container Platform 3.11","Will not fix","-"]
["Red Hat OpenShift Container Platform 4","Will not fix","-"]
["Red Hat Openshift Container Storage 4","Affected","-"]
["Red Hat Quay 3","Affected","-"]
["Red Hat Storage 3","Affected","-"]
["Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 8","Fixed","RHSA-2021:1448"]
["Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8","Fixed","RHSA-2021:1499"]
["Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8","Fixed","RHSA-2021:1499"]
["Red Hat Virtualization Engine 4.4","Fixed","RHSA-2021:2865"]
["Red Hat Virtualization Engine 4.4","Fixed","RHSA-2021:2865"]

To see details about the advisory, you may use another Security Data API endpoint and run the following query:

curl -s "https://access.redhat.com/hydra/rest/securitydata/cvrf/RHSA-2021:2865.json" | jq .

One advisory may address many CVEs. For example, advisory RHSA-2021:2865 delivered fixes for four CVEs:

• CVE-2020-7733
• CVE-2020-28469
• CVE-2021-23343
• CVE-2021-23358

That can be queried like so:

curl -s "https://access.redhat.com/hydra/rest/securitydata/cvrf/RHSA-2021:2865.json" | jq -r '.cvrfdoc.vulnerability[].cve'

At this point, it is important to mention that when checking the advisory in the Red Hat Product Errata page, in the CVE section, there could be more CVEs listed than what is listed in the Description section. For example, see advisory RHSA-2021:2461. 

On the bottom of the page in the CVE section, there is a long list of CVEs, but when verifying the same advisory in the Security Data API there are three listed CVEs:

curl -s "https://access.redhat.com/hydra/rest/securitydata/cvrf/RHSA-2021:2461.json" | jq -r '.cvrfdoc.vulnerability[].cve'
CVE-2021-21309
CVE-2021-28092
CVE-2021-28918

This difference appears in advisories for container images. The three CVEs listed by Security Data API (the same listed in the Description section on the Red Hat errata portal) are related to the fixed vulnerabilities in the Red Hat Advanced Cluster Management for Kubernetes source code. 

Other CVEs visible on the Red Hat errata portal in this advisory are related to the fixed vulnerabilities in dependent packages (fixes consumed by delivered images from the base layered images, usually earlier fixes in the Universal Base Image container image).

My Red Hat product might be affected by a CVE. What other information may I find about the impact on my product?

Sometimes there are other factors that reduce the impact to a specific product or make the vulnerability not exploitable. Usually, additional useful information about the particular CVE is available in the Statement section.

Let’s use the CVE-2021-27962 as an example.

By repeating the query from the previous use case:

curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27962.json" | 
jq -rc '(try .package_state[] | [ .product_name, .fix_state, "-" ]), (try .affected_release[] | 
[ .product_name, "Fixed", .advisory ])'

We will see that Red Hat products are not affected by this particular CVE.

["OpenShift Service Mesh 1","Not affected","-"]
["OpenShift Service Mesh 2","Not affected","-"]
["Red Hat Advanced Cluster Management for Kubernetes 2","Not affected","-"]
["Red Hat Ceph Storage 2","Out of support scope","-"]
["Red Hat Ceph Storage 3","Not affected","-"]
["Red Hat Ceph Storage 3","Not affected","-"]
["Red Hat Ceph Storage 4","Not affected","-"]
["Red Hat Enterprise Linux 8","Not affected","-"]
["Red Hat OpenShift Container Platform 3.11","Not affected","-"]
["Red Hat OpenShift Container Platform 4","Not affected","-"]
["Red Hat Storage 3","Not affected","-"]

To gather additional information like the Red Hat severity rating for this CVE, CVE details and Red Hat Statement, you may run the following query:

curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27962.json" | jq -r '[ .threat_severity, .details[], .statement ]'

As an output we will get:

[

  "Important",
  "Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.",
  "A flaw was found in Grafana Enterprise. Users with the Editor role are allowed to bypass data source permissions for the organization's default data source. The highest threat from this vulnerability is to data confidentiality.",
  "Red Hat products do not ship Grafana Enterprise version, therefore are not affected by this vulnerability."
]

Based on this information, you can verify a reported vulnerable version of Grafana in your environment as a false positive finding.

As an exercise, you may repeat steps from this use case and find out why Red Hat products are not affected by CVE-2021-22147.

The key information can be found in the Statement section:

curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22147.json" | jq -r '.statement'

Searchable snapshots feature is only available with enterprise subscription. Opensource version of elasticsearch does not include the searchable snapshots feature and hence not affected by this vulnerability.

If you want to know more about how Red Hat Product Security rates security issues, please read the Open Approach to Vulnerability Management.

Why does my product have a different security severity than the main CVE severity?

Additional information is often available about the vulnerability impact for a particular product when checking Red Hat security data for the selected CVE. That impact is different from the main CVE severity.

These situations happen due to certain features in our products that may reduce the general impact. The main CVE impact presumes the worst case scenario, so a specific product’s impact will be equal to that or lower—never higher. When there is a different impact rating for a particular product, there will be an explanation for that in the CVE statement section.

For example the main impact for the CVE-2021-22930 is “Important.” 

curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22930.json" | jq .threat_severity
"Important"

But for Red Hat Quay, the impact is “low.”  It can be found like this:

curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22930.json" | jq -r '.package_state[] | [.product_name, .package_name, .impact, .fix_state ]'
[
  "Red Hat Enterprise Linux 8",
  "nodejs:16/nodejs",
  null,
  "Affected"
]
[
  "Red Hat Quay 3",
  "quay/quay-rhel8",
  "low",
  "Will not fix"
]

Per product impact values are only present when they differ from the main CVE severity.  Blank values should be replaced with the threat_severity from the parent data set.
More information can be found in the Statement section:

curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22930.json" | jq -r '.statement'
Red Hat Quay from version 3.4 consumes nodejs from RHEL, so security tracking is provided by the container health index on the customer portal [1]. Additionally there is no impact from this issue on Quay 3.3 and 3.2 because nodejs is only used at build time and is no longer shipped, starting with Quay 3.5 [2].
[1] https://catalog.redhat.com/software/containers/quay/quay-rhel8/600e03aadd19c7786c43ae49?container-tabs=security
[2] https://issues.redhat.com/browse/PROJQUAY-1409
Therefore Quay component is marked as "Will not fix" with impact LOW.

There is a vulnerability that affects package “x,” but my container is not listed as affected on the CVE page. Does it mean that it is not affected?

We need to examine the container more closely before coming to a conclusion.

Container images usually use multi-stage builds. Even if some non-RPM content is copied to the image in the final stage, some RPMs are shipped by earlier layers (base images). Many times, some RPMs are shipped in the container image only because they were required as a dependency to some other core packages. 

For example, the systemd package is shipped in many container images, but is not used by default (the PID 1 in the container is not the systemd service). Let’s take a look closer at one of the vulnerabilities related to the systemd package, CVE-2021-33910.

When we take a look at the list of the affected products and packages for this CVE, the container images are not listed there:

curl -s "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-33910.json" |  jq -rc '(try .package_state[] | [ .product_name, .fix_state, "-" ]), (try .affected_release[] | [ .product_name, "Fixed", .advisory ])'
  
["Red Hat Enterprise Linux 7","Not affected","-"]
["Red Hat Enterprise Linux 8","Fixed","RHSA-2021:2717"]
["Red Hat Enterprise Linux 8.1 Extended Update Support","Fixed","RHSA-2021:2724"]
["Red Hat Enterprise Linux 8.2 Extended Update Support","Fixed","RHSA-2021:2721"]
["Red Hat Virtualization 4 for Red Hat Enterprise Linux 8","Fixed","RHSA-2021:2736"]

This is because Red Hat currently does not publish in the Security Data components that inherit the packages from other core products like Red Hat Enterprise Linux (RHEL). Hence, on the Red Hat CVE page and in the Security Data API for CVE-2021-33910, systemd package container images are not listed even though this package is shipped in many container images. 

Potentially impacted container images (where the vulnerable RPM  is shipped) will be rebuilt once the fixed version of the package is available in the main product (RHEL or Universal Base Image).

Container images are updated regularly and the Container Health Index (CHI) indicates whether a fix to the particular flaw is available. 

Stay tuned

We shared some real-world security use cases and how the Security Data API can help. In the next post, we’ll look at use cases that will show you how to get access to the Container Health Index for the selected Red Hat container images and how to validate if there is a new image version available already.