-
Ticket
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
-
False
-
Very Likely
-
0
Our organization is in the final stages of transitioning from the OVAL vulnerability feed data to the VEX data. While ensuring that our customers do not notice a major spike in mis-detections, we’ve been comparing the OVAL and VEX data. We’ve made some observations that we would like to note. Please let me know if this is the best forum to submit these inquiries, and if not, where.
We are noticing that in some cases, the VEX files are missing a fix for some components that had fixes in the OVAL data. We are providing two examples, but we find this happening with many other vulnerabilities and sub-components
1. CVE-2022-0235: In the CSAF VEX data, red_hat_enterprise_linux_8:subscription-manager is listed as known_affected. However, the binary package subscription-manager-rhsm-certificates is built from a different source package. This leads to its omission in the VEX data, whereas OVAL data might include it due to its focus on binary RPMs.
{{/// CVE-2022-0235 VEX data
{
"category": "default_component_of",
"full_product_name":
,
"product_reference": "subscription-manager",
"relates_to_product_reference": "red_hat_enterprise_linux_8"
}}}
<!-- CVE-2022-0235 OVAL RHEL 8 data --> <cve cvss3="6.1/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" cwe="CWE-601" href="https://access.redhat.com/security/cve/CVE-2022-0235" impact="moderate" public="20220114">CVE-2022-0235</cve> <affected> <resolution state="Out of support scope"> <component>container-tools:rhel8/cockpit-podman</component> <component>dnf-plugin-subscription-manager</component> <component>python3-cloud-what</component> <component>python3-subscription-manager-rhsm</component> <component>python3-syspurpose</component> <component>rhsm-gtk</component> <component>rhsm-icons</component> <component>subscription-manager</component> <component>subscription-manager-cockpit</component> <component>subscription-manager-initial-setup-addon</component> <component>subscription-manager-migration</component> <component>subscription-manager-plugin-ostree</component> <component>subscription-manager-rhsm-certificates</component> </resolution>
2. It seems like qemu-guest-agent and libcacard are missing many (100+) of CVEs for RHEL7 from the same reason, where the kvm seems to be the source. For example, looking at CVE-2015-8345: https://security.access.redhat.com/data/csaf/v2/vex/2015/cve-2015-8345.json In the OVAL data, we can see that qemu-guest-agent , but also qemu-img, and libcacard are listed as affected but “Will not fix”, which is fine. In the VEX data we are noticing that the only component listed on RHEL 7 as affected is qemu-kvm . Are we supposed to be recognizing the the product qemu-kvm includes these other components? Why is this included in the OVAL but not the VEX data?
/// CVE-2015-8345 VEX data "product_status": { "known_affected": [ "red_hat_enterprise_linux_5:kvm", "red_hat_enterprise_linux_6:qemu-kvm", "red_hat_enterprise_linux_7:qemu-kvm" ]
<!-- CVE-2015-8345 OVAL RHEL 7 data --> <cve cvss2="5.2/AV:A/AC:M/Au:S/C:N/I:N/A:C" cwe="CWE-835" href="https://access.redhat.com/security/cve/CVE-2015-8345" impact="moderate" public="20151120">CVE-2015-8345</cve> <affected> <resolution state="Will not fix"> <component>libcacard</component> <component>libcacard-devel</component> <component>libcacard-tools</component> <component>qemu-guest-agent</component> <component>qemu-img</component> <component>qemu-kvm</component> <component>qemu-kvm-common</component> <component>qemu-kvm-tools</component> </resolution> </affected>
3. CVE-2016-7906 has no vex file, but still visible in here. Does VEX is the SOT for our advisories?
<!-- CVE-2016-7906 OVAL RHEL 7 data --> <cve cvss2="5.8/AV:N/AC:M/Au:N/C:P/I:N/A:P" cvss3="5.1/CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" cwe="CWE-416" href="https://access.redhat.com/security/cve/CVE-2016-7906" impact="moderate" public="20160930">CVE-2016-7906</cve> <affected> <resolution state="Will not fix"> <component>ImageMagick</component> <component>ImageMagick-c++</component> <component>ImageMagick-c++-devel</component> <component>ImageMagick-devel</component> <component>ImageMagick-doc</component> <component>ImageMagick-perl</component> </resolution> </affected>
4. We notice that in some VEX data files, there are advisories where the known_not_affected status contains Product+Package+Fixed Version. Does this mean that older versions are affected, although it isn't placed in the fixed status? e.g. is the kernel package for AppStream-9.2.0.GA in CVE-2022-49579. We don’t see AppStream-9.2.0.GA:kernel-0:5.14.0-284.11.1.el9_2 listed in the fixed product status. We see that in the OVAL it’s explicitly listed with “kernel is earlier than 0:5.14.0-284.11.1.el9_2”. We are just trying to make sure this is consistent: If there is a known_not_affected version listed, this is the fixed version for the base package/component?
/// CVE-2022-49579 VEX data "known_not_affected": [ "AppStream-9.2.0.GA:kernel-0:5.14.0-284.11.1.el9_2.aarch64", "AppStream-9.2.0.GA:kernel-0:5.14.0-284.11.1.el9_2.ppc64le", "AppStream-9.2.0.GA:kernel-0:5.14.0-284.11.1.el9_2.s390x", "AppStream-9.2.0.GA:kernel-0:5.14.0-284.11.1.el9_2.src", "AppStream-9.2.0.GA:kernel-0:5.14.0-284.11.1.el9_2.x86_64", ... ]
5. container-tools:rhel8/containers-common also has discrepancy between oval and vex (for at least 10 CVEs). For example, in CVE-2025-22870 , we notice that in the VEX there is no mention of container-tools:rhel8/containers-common , but all the other components for container-tools product are included under known_affected :
/// CVE-2025-22870 VEX data "known_affected": [ ... "red_hat_enterprise_linux_8:container-tools:rhel8/buildah", "red_hat_enterprise_linux_8:container-tools:rhel8/conmon", "red_hat_enterprise_linux_8:container-tools:rhel8/containernetworking-plugins", "red_hat_enterprise_linux_8:container-tools:rhel8/podman", "red_hat_enterprise_linux_8:container-tools:rhel8/skopeo", "red_hat_enterprise_linux_8:container-tools:rhel8/toolbox", ... ]
<!-- CVE-2025-22870 OVAL RHEL 8 data --> <cve cvss3="4.4/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L" cwe="CWE-20" href="https://access.redhat.com/security/cve/CVE-2025-22870" impact="moderate" public="20250312:1827">CVE-2025-22870</cve> <affected> <resolution state="Fix deferred"> <component>container-tools:rhel8/buildah</component> <component>container-tools:rhel8/buildah-tests</component> <component>container-tools:rhel8/conmon</component> <component>container-tools:rhel8/containernetworking-plugins</component> <component>container-tools:rhel8/containers-common</component> <component>container-tools:rhel8/podman</component> <component>container-tools:rhel8/podman-catatonit</component> <component>container-tools:rhel8/podman-docker</component> <component>container-tools:rhel8/podman-gvproxy</component> <component>container-tools:rhel8/podman-manpages</component> <component>container-tools:rhel8/podman-plugins</component> <component>container-tools:rhel8/podman-remote</component> <component>container-tools:rhel8/podman-tests</component> <component>container-tools:rhel8/skopeo</component> <component>container-tools:rhel8/skopeo-tests</component> <component>container-tools:rhel8/toolbox</component> <component>container-tools:rhel8/toolbox-tests</component>
6. We are noticing lots of discrepancies for mozjs60 CVEs located in Affected section for RHEL8 OVAL files but in vex they are marked known_not_affected. For example, in the VEX file for CVE-2022-33987, we see that that the component red_hat_enterprise_linux_8:mozjs60 is listed under the known_not_affected . In the OVAL file it’s listed as Affected :
<!-- CVE-2022-33987 OVAL RHEL 8 data --> <cve cvss3="5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" cwe="CWE-601" href="https://access.redhat.com/security/cve/CVE-2022-33987" impact="moderate" public="20220618">CVE-2022-33987</cve> <affected> <resolution state="Affected"> <component>mozjs60</component> <component>mozjs60-devel</component> </resolution>
7. For vulnerabilities affecting php:7.2/libzip , we notice the VEX files are missing CVEs that existed in OVAL for RHEL8. Despite it being “Will not fix” in the advisory, we expect the data to still be present in the VEX data. For example, CVE-2020-7060 with the following VEX file shows “Will not fix” in the advisory. We see many references to libzip component for php:7.3 though, but not for 7.2. But in the OVAL for RHEL 8, we see that it is present:
/// CVE-2020-7060 VEX data { "category": "no_fix_planned", "details": "Will not fix", "product_ids": [ "red_hat_enterprise_linux_7:php", "red_hat_enterprise_linux_8:php:7.2/php", "red_hat_software_collections:rh-php72-php" ] }
<!-- CVE-2020-7060 OVAL RHEL 8 data --> <cve cvss3="6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L" cwe="CWE-119" href="https://access.redhat.com/security/cve/CVE-2020-7060" impact="moderate" public="20200123">CVE-2020-7060</cve> <affected> <resolution state="Will not fix"> <component>php:7.2/apcu-panel</component> <component>php:7.2/libzip</component> <component>php:7.2/libzip-debugsource</component> <component>php:7.2/libzip-devel</component> <component>php:7.2/libzip-tools</component>
8. Component firefox is missing 20+ CVEs in vex that were exist in oval for RHEL7. For example CVE-2025-3028 with this VEX file:
/// CVE-2025-3028 VEX data { "category": "no_fix_planned", "details": "Out of support scope", "product_ids": [ "red_hat_enterprise_linux_6:firefox", "red_hat_enterprise_linux_6:thunderbird", "red_hat_enterprise_linux_7:thunderbird" ] }, { "category": "none_available", "details": "Affected", "product_ids": [ "red_hat_enterprise_linux_8:thunderbird", "red_hat_enterprise_linux_9:firefox-flatpak-container", "red_hat_enterprise_linux_9:thunderbird", "red_hat_enterprise_linux_9:thunderbird-flatpak-container" ] }
<!-- CVE-2025-3028 OVAL RHEL 7 data --> <cve cvss3="7.6/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H" cwe="CWE-416" href="https://access.redhat.com/security/cve/CVE-2025-3028" impact="important" public="20250401:1228">CVE-2025-3028</cve> <affected> <resolution state="Affected"> <component>firefox</component> </resolution>
9. Many CVEs (20+) for glib2 are unaffected in vex but are affected (with fix) in oval for RHEL8. For example, CVE-2020-13543 with vex. In the VEX data only fixed shows AppStream-8.4.0.GA:webkit2gtk3-0:2.30.4-1.el8 . Meanwhile, BaseOS-8.4.0.GA:glib2-0:2.56.4-9.el8 is marked as listed under known_not_affected. According the RHSA, the fixed version should be glib2-2.56.4-9.el8.src.rpm , which matches what the OVAL shows.
<!-- CVE-2020-13543 OVAL RHEL 8 data -->
<criteria operator="AND">
<criterion comment="glib2 is earlier than 0:2.56.4-9.el8" test_ref="oval:com.redhat.rhsa:tst:20211586001"/>
<criterion comment="glib2 is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.cve:tst:202329499012"/>
</criteria>
