Red Hat Product Security is pleased to announce that official Red Hat vulnerability data is now available in a new format called the Vulnerability Exploitability eXchange (VEX). In April 2023, we mentioned in an article titled “The future of Red Hat security data”, that Red Hat was working on providing a new security data format. This new format has been created to replace the old OVAL data format, which we aim to deprecate at the end of 2024.
Since February 2023, Red Hat has published Red Hat security advisories (RHSAs) in the CSAF format as an official, recommended authoritative source for Red Hat-released security patches.
These advisories contain information about patched vulnerabilities (fixed status) for the particular product. They can also include information about components that are not affected by the specific vulnerability (known-not-affected status) that is patched in other components for the same specific product release. The VEX files that are now available also cover the unpatched data for all vulnerabilities (with an associated CVE ID) that potentially affect the Red Hat portfolio, which includes all products and their components.
Red Hat VEX beta files are available at: https://access.redhat.com/security/data/csaf/beta/vex/
What is VEX?
The Vulnerability Exploitability eXchange (VEX) is a profile in the CSAF security machine-readable data standard that allows vendors to assert whether specific vulnerabilities affect a product (product and its components). Not only does it state if they are affected but also what the remediation status is as it changes. A VEX profile covers the following statuses:
- Fixed: Information that the specific CVE is fixed in a particular product and components with a link to the released CSAF advisory
- Known Affected: Confirmation that the specific component and product is affected by a particular CVE and no fix is available
- Known Not Affected: Confirmation that the specific component and product are not affected by a particular CVE
- Under Investigation: Information that the Red Hat Product Security team is verifying the applicability and impact of a specific CVE to a particular product and component
By publishing data in the CSAF-VEX format, Red Hat can provide, without any further delays, transparent information in a machine-readable format about the applicability of a particular public CVE to all related products and their components. Red Hat’s VEX security data covers both RPM packages and also non-RPM related content in container images. For customers and security scanning vendors that use Red Hat security data, the new data provides them with more granular, accurate, and up-to-date information than the previous data formats.
Implementation details
As mentioned in the “The future of Red Hat security data” article, Red Hat releases VEX files for every single CVE that affects the Red Hat portfolio. The key difference between CSAF advisories and VEX files for every CVE is that the CSAF advisory covers two statuses (fixed and not affected) for one specific product release. The VEX file for a single CVE covers all security statuses for all potentially affected products and their components.
VEX files are dynamic and are updated each time new information is available, or there is a change in status for the specific product and component in correlation with the CVE, such as a released patch, a decision that a patch will not be released, or that component is not affected.
Similar to CSAF advisories published by Red Hat, VEX files meet the requirements of the trusted provider role as defined in the standard. All VEX files have an accompanying detached signature file to verify each VEX file's authenticity and a file containing the hash of the VEX file to ensure its integrity.
Understanding Red Hat VEX files
All VEX files generally consist of three major sections:
- Document metadata
- Product tree array
- Vulnerability metadata
Document metadata
The document metadata is included in the "document": {...} object. This section contains basic information about the VEX file, vendor, release, and update dates. You can also find information about the overall vulnerability severity based on Red Hat's severity ratings. Here is an example of the document section:
"aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "moderate" } "id": "CVE-2022-40152", "initial_release_date": "2022-09-16T00:00:00+00:00", "revision_history": [ { "date": "2022-09-16T00:00:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-09-07T14:15:11+00:00", "number": "2", "summary": "Current version" } ],
Product tree array
The product tree array is included in the "product_tree": {...} object. This section contains information about the products, components, and their relationship. All products and their components are represented by individual branches. Product Streams are represented by the “product_name” category, for example:
"category": "product_name", "name": "Red Hat Enterprise Linux BaseOS (v. 8)", "product": { "name": "Red Hat Enterprise Linux BaseOS (v. 8)", "product_id": "BaseOS-8.6.0.GA", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8::baseos" } } },
Components are represented by the “product_version” category in the following way:
"category": "product_version", "name": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src", "product": { "name": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src", "product_id": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/kernel-rt@4.18.0-372.9.1.rt7.166.el8?arch=src" } }
The product-to-component relationship in the VEX file is represented in the following way:
"category": "default_component_of", "full_product_name": { "name": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src as a component of Red Hat Enterprise Linux BaseOS (v. 8)", "product_id": "BaseOS-8.6.0.GA:kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src" }, "product_reference": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src", "relates_to_product_reference": "BaseOS-8.6.0.GA" },
It is important to notice that not every component contains the purl
identifier in the Red Hat VEX files. Only components that have fixed versions (that is, address a vulnerability) include a purl identifier. If a fix has not yet been released for a vulnerability, identified by the status Known Affected, Known Not Affected, or Under Investigation, the component is identified by its name in the product_version object. Components that do not have a fix available in their Product Streams are assumed to be affected in all versions and associated with the provided status.
Vulnerability metadata
Vulnerability metadata is included in the "vulnerabilities": [...] object. This section contains the security status for all products and their components listed in the product tree section. This section also includes information about the CVE description and possible additional statements or mitigation steps. The potential mitigation options are associated with all products and their components, even if there are already released security patches for some components.
The following is an example of a fixed product status with a listing of relationship object IDs created in the product tree:
"fixed": [ "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.aarch64", "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.ppc64le", "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.s390x", "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.src", "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.x86_64", ]
With the associated remediations step and link to the Red Hat CSAF advisory:
"category": "vendor_fix" "url": "https://access.redhat.com/errata/RHSA-2022:1988"
Affected products and their components may link to an explanatory remediation covering why a certain product may not have an available fix:
"known_affected": [ "red_hat_enterprise_linux_6:kernel", "red_hat_enterprise_linux_7:kernel", "red_hat_enterprise_linux_7:kernel-rt" ], { "category": "no_fix_planned", "details": "Out of support scope", "product_ids": [ "red_hat_enterprise_linux_6:kernel", "red_hat_enterprise_linux_7:kernel", "red_hat_enterprise_linux_7:kernel-rt" ] }
The no_fix_planned
category contains details why the patch will not be released. The patch will not be released in the above example because the product is already out of the support scope. When the affected product is still supported, but the vulnerability is rated as having a Low security impact, the product may not receive a fix for the given vulnerability. An example of this case is represented in the VEX file using the “no_fix_planned” category and “Will not fix” detail text:
{ "category": "no_fix_planned", "details": "Will not fix", "product_ids": [ "Openshift_pipelines:openshift-pipelines-client" ] }
The vulnerabilities section also contains information about the CVSS metrics in the scores field. In the threats field, the impact category represents the Red Hat severity rating associated with the products and components pairs. If there is a known exploit for a particular vulnerability, information about it is included in the "exploit_status" category in this section.
Will there be future improvements in the security data?
The security data landscape is constantly changing, which is why there will be further improvements in Red Hat security data. Together with VEX files publication, Red Hat extended information available in the CSAF security advisories (RHSAs) by adding:
- information about active exploits,
purl
identifiers for each component,- information about vulnerability mitigations if any exist,
- information about an OS reboot being required after applying the changes of a given advisory.
In the future, we would like to add representation of product version ranges into our machine-readable data formats. Additionally, there are plans to extend the data by providing information about layered products and their relationship to the affected by specific vulnerability primary products and their components. All Red Hat security data changes are tracked in the Red Hat Security Data Changelog.
Please contact Red Hat Product Security with any questions regarding security data at secalert@redhat.com or file an issue in the public SECDATA Jira project.
執筆者紹介
Przemysław Roguski is a Security Architect at Red Hat who specializes in Cloud Products security aspects. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security. He is focused on the security data improvements (various upstream and downstream security initiatives and projects like CWE, Kubernetes, Red Hat Vulnerability Scanner Certification program) to build better understanding of the security issues and improve client satisfaction.
類似検索
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit