Headline
Vulnerability Exploitability eXchange (VEX) beta files now available
Red Hat Product Security is pleased to announce that official Red Hat vulnerability data is now available in a new format called the Vulnerability Exploitability eXchange (VEX). In April 2023, we mentioned in an article titled “The future of Red Hat security data”, that Red Hat was working on providing a new security data format. This new format has been created to replace the old OVAL data format, which we aim to deprecate at the end of 2024.
Since February 2023, Red Hat has published Red Hat security advisories (RHSAs) in the CSAF format as an official, recommended authoritative sourc
Red Hat Product Security is pleased to announce that official Red Hat vulnerability data is now available in a new format called the Vulnerability Exploitability eXchange (VEX). In April 2023, we mentioned in an article titled “The future of Red Hat security data”, that Red Hat was working on providing a new security data format. This new format has been created to replace the old OVAL data format, which we aim to deprecate at the end of 2024.
Since February 2023, Red Hat has published Red Hat security advisories (RHSAs) in the CSAF format as an official, recommended authoritative source for Red Hat-released security patches.
These advisories contain information about patched vulnerabilities (fixed status) for the particular product. They can also include information about components that are not affected by the specific vulnerability (known-not-affected status) that is patched in other components for the same specific product release. The VEX files that are now available also cover the unpatched data for all vulnerabilities (with an associated CVE ID) that potentially affect the Red Hat portfolio, which includes all products and their components.
Red Hat VEX beta files are available at: https://access.redhat.com/security/data/csaf/beta/vex/
What is VEX?
The Vulnerability Exploitability eXchange (VEX) is a profile in the CSAF security machine-readable data standard that allows vendors to assert whether specific vulnerabilities affect a product (product and its components). Not only does it state if they are affected but also what the remediation status is as it changes. A VEX profile covers the following statuses:
- Fixed: Information that the specific CVE is fixed in a particular product and components with a link to the released CSAF advisory
- Known Affected: Confirmation that the specific component and product is affected by a particular CVE and no fix is available
- Known Not Affected: Confirmation that the specific component and product are not affected by a particular CVE
- Under Investigation: Information that the Red Hat Product Security team is verifying the applicability and impact of a specific CVE to a particular product and component
By publishing data in the CSAF-VEX format, Red Hat can provide, without any further delays, transparent information in a machine-readable format about the applicability of a particular public CVE to all related products and their components. Red Hat’s VEX security data covers both RPM packages and also non-RPM related content in container images. For customers and security scanning vendors that use Red Hat security data, the new data provides them with more granular, accurate, and up-to-date information than the previous data formats.
Implementation details
As mentioned in the “The future of Red Hat security data” article, Red Hat releases VEX files for every single CVE that affects the Red Hat portfolio. The key difference between CSAF advisories and VEX files for every CVE is that the CSAF advisory covers two statuses (fixed and not affected) for one specific product release. The VEX file for a single CVE covers all security statuses for all potentially affected products and their components.
VEX files are dynamic and are updated each time new information is available, or there is a change in status for the specific product and component in correlation with the CVE, such as a released patch, a decision that a patch will not be released, or that component is not affected.
Similar to CSAF advisories published by Red Hat, VEX files meet the requirements of the trusted provider role as defined in the standard. All VEX files have an accompanying detached signature file to verify each VEX file’s authenticity and a file containing the hash of the VEX file to ensure its integrity.
Understanding Red Hat VEX files
All VEX files generally consist of three major sections:
- Document metadata
- Product tree array
- Vulnerability metadata
Document metadata
The document metadata is included in the "document": {…} object. This section contains basic information about the VEX file, vendor, release, and update dates. You can also find information about the overall vulnerability severity based on Red Hat’s severity ratings. Here is an example of the document section:
"aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": “moderate” } "id": "CVE-2022-40152", "initial_release_date": "2022-09-16T00:00:00+00:00", "revision_history": [ { "date": "2022-09-16T00:00:00+00:00", "number": "1", "summary": “Initial version” }, { "date": "2023-09-07T14:15:11+00:00", "number": "2", "summary": “Current version” } ],
Product tree array
The product tree array is included in the "product_tree": {…} object. This section contains information about the products, components, and their relationship. All products and their components are represented by individual branches. Product Streams are represented by the “product_name” category, for example:
"category": "product_name", "name": "Red Hat Enterprise Linux BaseOS (v. 8)", "product": { "name": "Red Hat Enterprise Linux BaseOS (v. 8)", "product_id": "BaseOS-8.6.0.GA", "product_identification_helper": { "cpe": “cpe:/o:redhat:enterprise_linux:8::baseos” } } },
Components are represented by the “product_version” category in the following way:
"category": "product_version", "name": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src", "product": { "name": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src", "product_id": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src", "product_identification_helper": { "purl": “pkg:rpm/redhat/[email protected]?arch=src” } }
The product-to-component relationship in the VEX file is represented in the following way:
"category": "default_component_of", "full_product_name": { "name": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src as a component of Red Hat Enterprise Linux BaseOS (v. 8)", "product_id": “BaseOS-8.6.0.GA:kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src” }, "product_reference": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src", "relates_to_product_reference": “BaseOS-8.6.0.GA” },
It is important to notice that not every component contains the purl identifier in the Red Hat VEX files. Only components that have fixed versions (that is, address a vulnerability) include a purl identifier. If a fix has not yet been released for a vulnerability, identified by the status Known Affected, Known Not Affected, or Under Investigation, the component is identified by its name in the product_version object. Components that do not have a fix available in their Product Streams are assumed to be affected in all versions and associated with the provided status.
Vulnerability metadata
Vulnerability metadata is included in the "vulnerabilities": […] object. This section contains the security status for all products and their components listed in the product tree section. This section also includes information about the CVE description and possible additional statements or mitigation steps. The potential mitigation options are associated with all products and their components, even if there are already released security patches for some components.
The following is an example of a fixed product status with a listing of relationship object IDs created in the product tree:
"fixed": [ "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.aarch64", "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.ppc64le", "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.s390x", "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.src", "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.x86_64", ]
With the associated remediations step and link to the Red Hat CSAF advisory:
"category": “vendor_fix” "url": “https://access.redhat.com/errata/RHSA-2022:1988”
Affected products and their components may link to an explanatory remediation covering why a certain product may not have an available fix:
"known_affected": [ "red_hat_enterprise_linux_6:kernel", "red_hat_enterprise_linux_7:kernel", “red_hat_enterprise_linux_7:kernel-rt” ],
{ "category": "no_fix_planned", "details": "Out of support scope", "product_ids": [ "red_hat_enterprise_linux_6:kernel", "red_hat_enterprise_linux_7:kernel", “red_hat_enterprise_linux_7:kernel-rt” ] }
The no_fix_planned category contains details why the patch will not be released. The patch will not be released in the above example because the product is already out of the support scope. When the affected product is still supported, but the vulnerability is rated as having a Low security impact, the product may not receive a fix for the given vulnerability. An example of this case is represented in the VEX file using the “no_fix_planned” category and “Will not fix” detail text:
{ "category": "no_fix_planned", "details": "Will not fix", "product_ids": [ “Openshift_pipelines:openshift-pipelines-client” ] }
The vulnerabilities section also contains information about the CVSS metrics in the scores field. In the threats field, the impact category represents the Red Hat severity rating associated with the products and components pairs. If there is a known exploit for a particular vulnerability, information about it is included in the “exploit_status” category in this section.
Will there be future improvements in the security data?
The security data landscape is constantly changing, which is why there will be further improvements in Red Hat security data. Together with VEX files publication, Red Hat extended information available in the CSAF security advisories (RHSAs) by adding:
- information about active exploits,
- purl identifiers for each component,
- information about vulnerability mitigations if any exist,
- information about an OS reboot being required after applying the changes of a given advisory.
In the future, we would like to add representation of product version ranges into our machine-readable data formats. Additionally, there are plans to extend the data by providing information about layered products and their relationship to the affected by specific vulnerability primary products and their components. All Red Hat security data changes are tracked in the Red Hat Security Data Changelog.
Please contact Red Hat Product Security with any questions regarding security data at [email protected] or file an issue in the public SECDATA Jira project.
Related news
An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-30129: A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0 * CVE-2022-3171: A parsing issue with binary data in protobuf-java core and...
Red Hat Security Advisory 2023-3641-01 - This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. Issues addressed include denial of service, deserialization, resource exhaustion, and server-side request forgery vulnerabilities.
Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25857: A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections. * CVE-2022-38749: A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remot...
Red Hat Security Advisory 2023-0553-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-0554-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, deserialization, memory exhaustion, and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2023-0469-01 - Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available. Issues addressed include denial of service and memory exhaustion vulnerabilities.
Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40149: jettison: parser crash by stackoverflow * CVE-2022-40150: jettison: memory exhaustion via user-supplied XML or JSON data * CVE-2022-40151: xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks * CVE-2022-40152: woodstox-core: woodstox to...
IBM Cloud Transformation Advisor 2.0.1 through 3.3.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 237214.
Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.