피드 구독

In a previous blog post, we mentioned the ongoing work to overhaul our CVE pages and we are happy to announce those changes are now live. If you navigate to any CVE from our Red Hat CVE Database or an external source like a search engine, you'll be presented with the new user interface that displays important information and metadata about a specific CVE that is relevant to Red Hat's products.

Is my product affected?

We've combined the information about affected products, affected packages, and released errata into a single master table that can you can filter and order, presenting a much cleaner look and feel than the previous version. The individual rows in the table may also show product and package-specific impacts and CVSS scores where applicable.

For example, CVE-2019-10161 that affected the "libvirt" package in various versions of Red Hat Enterprise Linux had an overall impact of Important with a CVSS v3 score of 8.8. For Red Hat Enterprise Linux 6 however, because the impact of this vulnerability was limited to a denial of service, the security impact was lowered to Moderate with a CVSS v3 score of 7.3. Browsing to the "score details" also allows you to see a more detailed breakdown of the CVSS score specific to that product and package to the overall vulnerability CVSS score.

When a product reaches a particular support phase, fixing vulnerabilities of a certain impact may no longer be supported. These products are shown with a state of "Out of support scope" and will include a link to their lifecycle document, which covers the product's entire support schedule and the conditions for each support phase.

Why is Red Hat's CVSS score different?

Our Understanding Red Hat security ratings page explains how Red Hat classifies vulnerabilities by impact, how we use CVSS to rate vulnerabilities, and why our CVSS scores may differ from those displayed in the NIST National Vulnerability Database (NVD). For every CVE, we now show a side-by-side breakdown of Red Hat's CVSS score and the CVSS score present in NVD. When the scores differ by a large margin, a comment may be shown explaining why that is. See CVE-2019-7609 as an example.

What does "Will not fix" mean?

At the bottom of every CVE page you will find an FAQ section that answers some common questions that we get asked frequently, such as what it means that a product is marked as "Will not fix". The FAQ section may be expanded in the future to cover CVE-specific questions and answers, and more content may be included as we identify common problems with understanding our security data.

What Else?

A number of small improvements that contribute to the overall cleaner look were also made. If a CVE has an existing Vulnerability Response article, it will be linked under the CVE's description. Each CWE is now expanded to provide a textual description of the CWE or a combination of CWEs that classify this CVE. For example, CVE-2019-11477 had a CWE-190->CWE-400 combination of CWEs, which translates to an Integer Overflow or Wraparound leading to Uncontrolled Resource Consumption.

Red Hat is committed to providing the best security data for our products to the general public. If you have any questions or comments about the new CVE page look or any of the information displayed, please send an email to secalert@redhat.com.

Martin Prpic is a senior software engineer at Red Hat.


저자 소개

UI_Icon-Red_Hat-Close-A-Black-RGB

채널별 검색

automation icon

오토메이션

기술, 팀, 인프라를 위한 IT 자동화 최신 동향

AI icon

인공지능

고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트

open hybrid cloud icon

오픈 하이브리드 클라우드

하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요

security icon

보안

환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보

edge icon

엣지 컴퓨팅

엣지에서의 운영을 단순화하는 플랫폼 업데이트

Infrastructure icon

인프라

세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보

application development icon

애플리케이션

복잡한 애플리케이션에 대한 솔루션 더 보기

Original series icon

오리지널 쇼

엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리