Recent improvements in Red Hat Enterprise Linux CoreOS security data

As Red Hat’s product portfolio of various products expands, we are offering more delivery options and methods to give customers more flexibility in how they use and consume Red Hat products.

Red Hat Enterprise Linux CoreOS (RHCOS) underpins Red Hat OpenShift, the industry’s leading hybrid cloud application platform powered by Kubernetes. RHCOS demonstrates the flexibility that Red Hat delivers to customers by providing a comprehensive, dedicated and container-optimized base operating system.

As part of our Secure Software Development Lifecycle (Secure SDLC) practices, Red Hat provides granular and accessible security metadata, improving security risk identification across the Red Hat portfolio. This article covers some of the recent improvements in the security data for RHCOS.

What is RHCOS?

RHCOS is a dedicated, container-optimized operating system only available and supported as part of OpenShift. RHCOS is the only supported operating system for the OpenShift control plane or master machines. Traditional Red Hat Enterprise Linux (RHEL) can be used on the OpenShift compute nodes, also known as worker machines, but then users lose access to the RHCOS features for these nodes, including things like controlled immutability, rpm-ostree upgrades, updates through the Machine Config Operator and many more.

A full list of RHCOS features can be found in the RHCOS documentation.

OpenShift RHCOS is a pre-created, container-focused operating system image, built on well-tested RHEL RPM packages with an enhanced security posture. It also includes additional OpenShift and Fast Datapath (FDP) RPM packages necessary for this product. For more information on identifying RPM packages in RHCOS and how to find the necessary security data, see the following articles:

• Obtaining package list for RHEL CoreOS or specific image
• RHEL Versions Utilized by RHEL CoreOS and OCP
• CoreOS Kernel Versions in OCP4

RHCOS is sometimes called CoreOS, but it is important to note that CoreOS (CoreOS Container Linux) was an upstream community project that reached end of life on May 26, 2020; it is now superseded and replaced by Fedora CoreOS. Fedora CoreOS is a freely available, community distribution that is the upstream basis for Red Hat Enterprise Linux CoreOS.

RHCOS delivery method

The RHCOS builds are fully managed by OpenShift updates automation. The OpenShift Update Service (OSUS) provides update recommendations for OpenShift, including RHCOS. To better understand the RHCOS installation, and specifically the update process, refer to the Introduction to OpenShift updates documentation.

The easiest way to check the RHCOS version used in the specific OpenShift version, is to use the OpenShift CLI (oc) tool and run the following command:

$ oc adm release info 4.15.0 
--registry-config=path_to_the_pull-secret.txt

Version 4.15.0 is the OpenShift version you want to check. The pull secret can be downloaded from https://console.redhat.com/openshift/downloads.

On top of the output, you will see various metadata about the specific OpenShift version. The RHCOS version information is included in the Component Versions section. For example:

Component Versions:
 kubernetes 1.28.6                
 machine-os 415.92.202402201450-0 Red Hat Enterprise Linux CoreOS

In the list of the default OpenShift images available in the specific release, there is a machine-os-content container image, which contains a list of RPM packages installed in the RHCOS used in this version of OpenShift. There are instructions about how to get the necessary information in the Obtaining package list for RHEL CoreOS or specific image article.

Starting from OpenShift 4.16.0, the machine-os-contentcontainer image is no longer shipped. Starting from OpenShift 4.12.0, RHCOS is shipped as a container image and can be found under rhel-coreos(or rhel-coreos-8, depending on which version of OpenShift you’re using) name. By adding the --pullspecsoption to the above command, you can get the full source repository path where the specific RHCOS image can be downloaded.

Dedicated RHCOS security metadata

Because RHCOS is a composition of selected RPM packages taken from a few of Red Hat’s product repositories, it was challenging to match the included components to the correct Red Hat security data. Collecting all of the necessary data for performing the correct security risk assessment process was time consuming, but at the same time it was a necessary step in the correct vulnerability management process.

The Red Hat Product Security team started publishing dedicated RHCOS security metadata in October 2024. RHCOS is treated as another OpenShift component, similar to OpenShift container images. The entire vulnerability management process, including product-level risk assessment, is done for all RHCOS components. This includes all RPM packages, including the kernel. The scope of this security data improvement includes all vulnerabilities directly impacting the RHCOS components, such as vulnerabilities in the kernel, OpenSSL, or cri-o components. Vulnerabilities that have an indirect impact, such as Golang CVEs, are not in scope of the current data enhancement but we plan to add them in later improvements. Increasing the scope of coverage won’t impact how RHCOS security metadata is presented to customers.

Security data representation

RHCOS security data is available in two different formats, human-readable and machine-readable.

Human-readable data format

New security data is available in the human-readable format on Red Hat CVE pages. For example, fixed RHCOS vulnerabilities appear as follows:

https://access.redhat.com/security/cve/CVE-2024-26602

The RHCOS security metadata covers all statuses visible on Red Hat CVE pages depending on the following vulnerability lifecycle:

• Affected
• Not affected
• Under investigation
• Fixed
• Will not fix
• Fix deferred

See the following examples of CVEs that impact RHCOS with different security states:

“Fix Deferred” https://access.redhat.com/security/cve/CVE-2024-45310

“Under investigation” https://access.redhat.com/security/cve/CVE-2024-8418

Note: The security state can change over time, based on the vulnerability lifecycle.

Machine-readable data format

The same security metadata are available in machine-readable formats in official Red Hat CSAF and VEX files. For example, the released patch for CVE-2024-26602 is represented as follows:

The VEX file for CVE-2024-26602.

CSAF advisory with the RHCOS security patch RHSA-2024:1765.

When the particular vulnerability is fixed, the VEX and CSAF files contain detailed information about the RHCOS fixed version, including various architectures and a RHCOS digest SHA in a purlformat. In the associated product level, the "product_tree": {…} object provides information about the OpenShift version where a patch is included. For all security statuses other than Fixed (based on the CSAF standard and VEX profile), the RHCOS component is represented by a purl identifier without version details.

To read more about CSAF and VEX files security data and their implementation please see the following articles:

• CSAF VEX documents now generally available
• Vulnerability Exploitability eXchange (VEX) beta files now available
• Red Hat VEX files for CVEs are now generally available
• Red Hat Security Data Guidelines

Red Hat security data updates

We are continuously improving our security metadata by making it more detailed and specific. This applies not only to vulnerability data, but also to other security-related data, such as the software bill of materials (SBOM) or compliance and attestation data. Changes related to the Red Hat Security Data can be found in the Red Hat Security Data Changelog.

Please contact Red Hat Product Security with any questions regarding security data at [email protected], or file an issue in the public SECDATA Jira project.

Build a foundation for zero trust in Linux environments