New and Improved CVE Pages

In a previous blog post, we mentioned the ongoing work to overhaul our CVE pages and we are happy to announce those changes are now live. If you navigate to any CVE from our Red Hat CVE Database or an external source like a search engine, you'll be presented with the new user interface that displays important information and metadata about a specific CVE that is relevant to Red Hat's products.

Is my product affected?

We've combined the information about affected products, affected packages, and released errata into a single master table that can you can filter and order, presenting a much cleaner look and feel than the previous version. The individual rows in the table may also show product and package-specific impacts and CVSS scores where applicable.

For example, CVE-2019-10161 that affected the "libvirt" package in various versions of Red Hat Enterprise Linux had an overall impact of Important with a CVSS v3 score of 8.8. For Red Hat Enterprise Linux 6 however, because the impact of this vulnerability was limited to a denial of service, the security impact was lowered to Moderate with a CVSS v3 score of 7.3. Browsing to the "score details" also allows you to see a more detailed breakdown of the CVSS score specific to that product and package to the overall vulnerability CVSS score.

When a product reaches a particular support phase, fixing vulnerabilities of a certain impact may no longer be supported. These products are shown with a state of "Out of support scope" and will include a link to their lifecycle document, which covers the product's entire support schedule and the conditions for each support phase.

Why is Red Hat's CVSS score different?

Our Understanding Red Hat security ratings page explains how Red Hat classifies vulnerabilities by impact, how we use CVSS to rate vulnerabilities, and why our CVSS scores may differ from those displayed in the NIST National Vulnerability Database (NVD). For every CVE, we now show a side-by-side breakdown of Red Hat's CVSS score and the CVSS score present in NVD. When the scores differ by a large margin, a comment may be shown explaining why that is. See CVE-2019-7609 as an example.

What does "Will not fix" mean?

At the bottom of every CVE page you will find an FAQ section that answers some common questions that we get asked frequently, such as what it means that a product is marked as "Will not fix". The FAQ section may be expanded in the future to cover CVE-specific questions and answers, and more content may be included as we identify common problems with understanding our security data.

What Else?

A number of small improvements that contribute to the overall cleaner look were also made. If a CVE has an existing Vulnerability Response article, it will be linked under the CVE's description. Each CWE is now expanded to provide a textual description of the CWE or a combination of CWEs that classify this CVE. For example, CVE-2019-11477 had a CWE-190->CWE-400 combination of CWEs, which translates to an Integer Overflow or Wraparound leading to Uncontrolled Resource Consumption.

Red Hat is committed to providing the best security data for our products to the general public. If you have any questions or comments about the new CVE page look or any of the information displayed, please send an email to secalert@redhat.com.

Martin Prpic is a senior software engineer at Red Hat.