Red Hat Security: Linux in Physical, Virtual, and Cloud
The Red Hat Insights dashboard provides information about potential issues in your environment. The dashboard displays graphs and recommendations for Common Vulnerabilities and Exposures (CVEs), risks, exploits, remediation, optimizations, compliance, and more. You can view specific information about systems or issues by clicking on the resources or graphs.
You can view the CVEs list by navigating to → → . The CVEs page has a filterable and sortable list of CVEs that affect one or more systems in your environment. You can sort by publish date, severity, Common Vulnerability Scoring System (CVSS) score, and more. Each CVE entry includes a detailed description that you can access by clicking the CVE identifier. Many CVEs also include remediation in the form of Ansible Playbooks, scripts, or manual steps.
Red Hat Insights can create PDF reports for CVEs from the → → page.
The tool generates a PDF that has general statistics about the CVEs and the security rules that apply to your environment, including detailed information about several of the highest severity CVEs or rules that apply.
The tool enables you to create specific reports that you can filter by various options. You can create a report by clicking . By selecting from the filtering options, you can craft a specific report that has only the information that you need. The tool obtains the information that you request and generates a PDF with the results.
You can analyze the systems in your environment from the → → page. This page has a sortable list of each system in your environment. You can select individual systems from this list to view all the CVEs and security rules that apply to that system, along with advisories and remediation information.
Vulnerability scores are an objective way to gauge the severity of vulnerabilities. Vulnerability scores are presented as Common Vulnerability Scoring System (CVSS) scores. These CVSS scores range from 0.0 to 10.0, with greater values indicating higher severity. CVSS scores supplement Red Hat severity ratings.
The CVSS does not measure risk directly, and instead measures only severity. Depending on your environment, the severity of a vulnerability might not correlate with the risk that it poses. For example, a vulnerability in a web server when processing a specific type of image file might be high severity, but this vulnerability might pose a low risk if your web server has no mechanism to load such a file. Alternatively, a low severity vulnerability that does not allow for privilege escalation on its own might pose a high risk in environments where the vulnerability can be combined with other vulnerabilities. Always perform a comprehensive risk assessment for vulnerabilities that affect your environment.
The CVSS is owned and maintained by the US-based nonprofit, the Forum of Incident Response and Security Teams (FIRST). FIRST develops new CVSS versions over time. The latest version of the CVSS is CVSS 4.0, which was released on November 1, 2023, and which replaces CVSS 3.1. The industry is currently shifting to the new version.
CVSS 3.1 scores use the following factors to calculate a score:
Attack vector (AV)
Attack complexity (AC)
Privileges required (PR)
User interaction (UI)
Scope change (S)
Confidentiality impact (C)
Integrity impact (I)
Availability impact (A)
By using a CVSS 3.1 calculator, you can use these factors to find the severity of a vulnerability.
With CVSS 4.0, different metrics include various factors. Depending on the factors that you need to determine risk in your environment, you might use a specific metric.
-
CVSS-B This metric is the base score.
-
CVSS-BE This metric includes both the base score and environmental factors.
-
CVSS-BT This metric includes both the base score and threat factors.
-
CVSS-BTE This metric includes the base score, threat factors, and environmental factors.
CVSS 4.0 scores are based on the following base factors, which expand the CVSS 3.1 factors:
Attack vector (AV)
Attack complexity (AC)
Attack requirements (AT)
Privileges required (PR)
User interaction (UI)
Vulnerable system confidentiality (VC)
Vulnerable system integrity (VI)
Vulnerable system availability (VA)
Subsequent system confidentiality (SC)
Subsequent system integrity (SI)
Subsequent system availability (SA)
The base factors can be expanded with additional threat, environmental, and supplementary factors.
In addition to including CVSS scores, Red Hat rates the severity of security issues in Red Hat products on the Red Hat security rating scale. This scale ranges from Critical to Low impact.
- Critical impact
This rating is given to flaws that could easily be exploited by a remote unauthenticated attacker, and which could lead to system compromise (arbitrary code execution) without requiring user interaction. Flaws that require authentication, local or physical access to a system, or an unlikely configuration are not classified as Critical impact. This type of vulnerability can be exploited by worms.
- Important impact
This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. This type of vulnerability allows local or authenticated users to gain additional privileges, allows unauthenticated remote users to view resources that should otherwise be protected by authentication or other controls, allows authenticated remote users to execute arbitrary code, or allows remote users to cause a denial of service.
- Moderate impact
This rating is given to flaws that might be more difficult to exploit, but which could still lead to some compromise of the confidentiality, integrity, or availability of resources under certain circumstances. This type of vulnerability could have a Critical or Important impact, but it is less easily exploited based on a technical evaluation of the flaw, or the vulnerability affects unlikely configurations.
- Low impact
This rating is given to all other issues that might have a security impact. This type of vulnerability is generally believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would have minimal consequences. This includes flaws that are present in a program's source code but for which no current or theoretically possible, but unproven, exploitation vectors exist or were found during the technical analysis of the flaw.
Red Hat uses the CVSS score along with other factors that are specific to Red Hat products to apply a severity rating for a vulnerability. By using both the CVSS score and the Red Hat severity rating as a starting point, you can analyze how much risk a vulnerability poses to your environment.
References
For more information about FIRST and CVSS scores, refer to https://www.first.org/cvss/
For more information about Red Hat Insights reports, refer to the Generating Vulnerability Service Reports guide at https://access.redhat.com/documentation/en-us/red_hat_insights/2023/html-single/generating_vulnerability_service_reports/index
