Headline
Recent improvements in Red Hat Enterprise Linux CoreOS security data
As Red Hat’s product portfolio of various products expands, we are offering more delivery options and methods to give customers more flexibility in how they use and consume Red Hat products.Red Hat Enterprise Linux CoreOS (RHCOS) underpins Red Hat OpenShift, the industry’s leading hybrid cloud application platform powered by Kubernetes. RHCOS demonstrates the flexibility that Red Hat delivers to customers by providing a comprehensive, dedicated and container-optimized base operating system.As part of our Secure Software Development Lifecycle (Secure SDLC) practices, Red Hat provides granula
As Red Hat’s product portfolio of various products expands, we are offering more delivery options and methods to give customers more flexibility in how they use and consume Red Hat products.
Red Hat Enterprise Linux CoreOS (RHCOS) underpins Red Hat OpenShift, the industry’s leading hybrid cloud application platform powered by Kubernetes. RHCOS demonstrates the flexibility that Red Hat delivers to customers by providing a comprehensive, dedicated and container-optimized base operating system.
As part of our Secure Software Development Lifecycle (Secure SDLC) practices, Red Hat provides granular and accessible security metadata, improving security risk identification across the Red Hat portfolio. This article covers some of the recent improvements in the security data for RHCOS.
What is RHCOS?
RHCOS is a dedicated, container-optimized operating system only available and supported as part of OpenShift. RHCOS is the only supported operating system for the OpenShift control plane or master machines. Traditional Red Hat Enterprise Linux (RHEL) can be used on the OpenShift compute nodes, also known as worker machines, but then users lose access to the RHCOS features for these nodes, including things like controlled immutability, rpm-ostree upgrades, updates through the Machine Config Operator and many more.
A full list of RHCOS features can be found in the RHCOS documentation.
OpenShift RHCOS is a pre-created, container-focused operating system image, built on well-tested RHEL RPM packages with an enhanced security posture. It also includes additional OpenShift and Fast Datapath (FDP) RPM packages necessary for this product. For more information on identifying RPM packages in RHCOS and how to find the necessary security data, see the following articles:
- Obtaining package list for RHEL CoreOS or specific image
- RHEL Versions Utilized by RHEL CoreOS and OCP
- CoreOS Kernel Versions in OCP4
RHCOS is sometimes called CoreOS, but it is important to note that CoreOS (CoreOS Container Linux) was an upstream community project that reached end of life on May 26, 2020; it is now superseded and replaced by Fedora CoreOS. Fedora CoreOS is a freely available, community distribution that is the upstream basis for Red Hat Enterprise Linux CoreOS.
RHCOS delivery method
The RHCOS builds are fully managed by OpenShift updates automation. The OpenShift Update Service (OSUS) provides update recommendations for OpenShift, including RHCOS. To better understand the RHCOS installation, and specifically the update process, refer to the Introduction to OpenShift updates documentation.
The easiest way to check the RHCOS version used in the specific OpenShift version, is to use the OpenShift CLI (oc) tool and run the following command:
$ oc adm release info 4.15.0
--registry-config=path_to_the_pull-secret.txt
Version 4.15.0 is the OpenShift version you want to check. The pull secret can be downloaded from https://console.redhat.com/openshift/downloads.
On top of the output, you will see various metadata about the specific OpenShift version. The RHCOS version information is included in the Component Versions section. For example:
Component Versions:
kubernetes 1.28.6
machine-os 415.92.202402201450-0 Red Hat Enterprise Linux CoreOS
In the list of the default OpenShift images available in the specific release, there is a machine-os-content container image, which contains a list of RPM packages installed in the RHCOS used in this version of OpenShift. There are instructions about how to get the necessary information in the Obtaining package list for RHEL CoreOS or specific image article.
Starting from OpenShift 4.16.0, the machine-os-contentcontainer image is no longer shipped. Starting from OpenShift 4.12.0, RHCOS is shipped as a container image and can be found under rhel-coreos(or rhel-coreos-8, depending on which version of OpenShift you’re using) name. By adding the --pullspecsoption to the above command, you can get the full source repository path where the specific RHCOS image can be downloaded.
Dedicated RHCOS security metadata
Because RHCOS is a composition of selected RPM packages taken from a few of Red Hat’s product repositories, it was challenging to match the included components to the correct Red Hat security data. Collecting all of the necessary data for performing the correct security risk assessment process was time consuming, but at the same time it was a necessary step in the correct vulnerability management process.
The Red Hat Product Security team started publishing dedicated RHCOS security metadata in October 2024. RHCOS is treated as another OpenShift component, similar to OpenShift container images. The entire vulnerability management process, including product-level risk assessment, is done for all RHCOS components. This includes all RPM packages, including the kernel. The scope of this security data improvement includes all vulnerabilities directly impacting the RHCOS components, such as vulnerabilities in the kernel, OpenSSL, or cri-o components. Vulnerabilities that have an indirect impact, such as Golang CVEs, are not in scope of the current data enhancement but we plan to add them in later improvements. Increasing the scope of coverage won’t impact how RHCOS security metadata is presented to customers.
Security data representation
RHCOS security data is available in two different formats, human-readable and machine-readable.
Human-readable data format
New security data is available in the human-readable format on Red Hat CVE pages. For example, fixed RHCOS vulnerabilities appear as follows:
https://access.redhat.com/security/cve/CVE-2024-26602
The RHCOS security metadata covers all statuses visible on Red Hat CVE pages depending on the following vulnerability lifecycle:
- Affected
- Not affected
- Under investigation
- Fixed
- Will not fix
- Fix deferred
See the following examples of CVEs that impact RHCOS with different security states:
“Fix Deferred” https://access.redhat.com/security/cve/CVE-2024-45310
“Under investigation” https://access.redhat.com/security/cve/CVE-2024-8418
Note: The security state can change over time, based on the vulnerability lifecycle.
Machine-readable data format
The same security metadata are available in machine-readable formats in official Red Hat CSAF and VEX files. For example, the released patch for CVE-2024-26602 is represented as follows:
The VEX file for CVE-2024-26602.
CSAF advisory with the RHCOS security patch RHSA-2024:1765.
When the particular vulnerability is fixed, the VEX and CSAF files contain detailed information about the RHCOS fixed version, including various architectures and a RHCOS digest SHA in a purlformat. In the associated product level, the "product_tree": {…} object provides information about the OpenShift version where a patch is included. For all security statuses other than Fixed (based on the CSAF standard and VEX profile), the RHCOS component is represented by a purl identifier without version details.
To read more about CSAF and VEX files security data and their implementation please see the following articles:
- CSAF VEX documents now generally available
- Vulnerability Exploitability eXchange (VEX) beta files now available
- Red Hat VEX files for CVEs are now generally available
- Red Hat Security Data Guidelines
Red Hat security data updates
We are continuously improving our security metadata by making it more detailed and specific. This applies not only to vulnerability data, but also to other security-related data, such as the software bill of materials (SBOM) or compliance and attestation data. Changes related to the Red Hat Security Data can be found in the Red Hat Security Data Changelog.
Please contact Red Hat Product Security with any questions regarding security data at [email protected], or file an issue in the public SECDATA Jira project.
Build a foundation for zero trust in Linux environments
Related news
A flaw was found in Aardvark-dns versions 1.12.0 and 1.12.1. They contain a denial of service vulnerability due to serial processing of TCP DNS queries. This flaw allows a malicious client to keep a TCP connection open indefinitely, causing other DNS queries to time out and resulting in a denial of service for all other containers using aardvark-dns.
### Impact runc 1.1.13 and earlier as well as 1.2.0-rc2 and earlier can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with os.MkdirAll. While this can be used to create empty files, existing files **will not** be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc directly as well as through Docker and Kubernetes. The CVSS score for this vulnerability is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N (Low severity, 3....
Red Hat Security Advisory 2024-2585-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.
Red Hat Security Advisory 2024-2582-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a use-after-free vulnerability.
Red Hat Security Advisory 2024-2008-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include null pointer and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-2006-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include null pointer and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1653-03 - An update for kernel is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a use-after-free vulnerability.
Red Hat Security Advisory 2024-1533-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-1532-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-1332-03 - An update for kernel-rt is now available for Red Hat Enterprise Linux 7. Issues addressed include a use-after-free vulnerability.
Red Hat Security Advisory 2024-1250-03 - An update for kernel is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include memory exhaustion, null pointer, out of bounds access, out of bounds write, privilege escalation, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1249-03 - An update for kernel is now available for Red Hat Enterprise Linux 7. Issues addressed include a use-after-free vulnerability.