Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-1128

Clarification on RHEL product CPEs and affected status in VEX files

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Very Likely
    • 0

      Why need this Task?

      I have some doubts about how to correctly interpret the affected status of some RHEL product in VEX files. My main focus is on RHEL products with CPEs like: cpe:/o:redhat:enterprise_linux:<MAJOR>
      The issue I’m running into is that in several cases the VEX data seems to indicate that a RHEL major release is both affected and fixed at the same time, depending on the CPE granularity.

      Description:

      Example 1: CVE-2023-31486

      Web interface shows:

      • Product: RHEL 8
      • Component: perl-HTTP-Tiny
      • State: Fixed (RHSA-2023:7174)

      VEX file shows:

      "product_status": {
  "fixed": [
    ...
    "BaseOS-8.9.0.GA:perl-HTTP-Tiny-0:0.074-2.el8.noarch",
    "BaseOS-8.9.0.GA:perl-HTTP-Tiny-0:0.074-2.el8.src"
  ],
  "known_affected": [
    "red_hat_enterprise_linux_7:perl-HTTP-Tiny",
    "red_hat_enterprise_linux_8:perl-HTTP-Tiny"
  ]
}

       

      From the product_tree resolution:

      • fixed: perl-HTTP-Tiny was fixed in v0.074-2.el8 for RHEL BaseOS (v. 8) -> cpe:/o:redhat:enterprise_linux:8::baseos
      • known_affected: perl-HTTP-Tiny is affected in RHEL 8 -> cpe:/o:redhat:enterprise_linux:8

      Questions:

      • Should RHEL 8 (cpe:/o:redhat:enterprise_linux:8) really be considered affected, given that BaseOS (8) is already marked fixed?
      • Is the general CPE listed as affected because there may be other editions of RHEL 8 (outside BaseOS) where the package is still vulnerable?
      • How should this be interpreted: “RHEL 8 is affected except for specific editions like BaseOS where it’s fixed”?

       

      That was an example with just a few products/components. Here is another example for kernel:

      Example 2: CVE-2021-33033

      Web interface shows:

      • Product: RHEL 7
      • Component: kernel
      • State: Fixed (RHSA-2021:2725)

      VEX file shows kernel as fixed for:

      • cpe:/o:redhat:enterprise_linux:7::client
      • cpe:/o:redhat:enterprise_linux:7::computenode
      • cpe:/o:redhat:enterprise_linux:7::server
      • cpe:/o:redhat:enterprise_linux:7::workstation

      But also as known_affected for:

      • cpe:/o:redhat:enterprise_linux:7

      I have found similar cases for different releases: RHEL7 (~100), RHEL8 (~50), RHEL9 (~1500). 
      I have not found any case for RHEL 10.

      Acceptance Criteria: 

      • What is the intended interpretation when a major release CPE (e.g., cpe:/o:redhat:enterprise_linux:8) is listed as affected, while specific editions (e.g., BaseOS) are listed as fixed?
      • Is this a modeling convention (broad CPE = potentially affected, narrow edition = fixed), or an inconsistency in the data?

      Thank you in advance for any insights.

              jsvoboda@redhat.com Jakub Svoboda
              jftuduri Francisco Tuduri
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: