-
Ticket
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
Very Likely
-
0
Current Behavior
In some CSAF VEX files, the `remediations` section and `product_status.known_affected` only include source packages (`.src`) and internal packages (`-selftests-internal`), while the main binary packages are missing.
For example, in CVE-2022-49218:
$ curl -s https://security.access.redhat.com/data/csaf/v2/vex/2022/cve-2022-49218.json | jq '{known_affected_kernel_rt: [.vulnerabilities[0].product_status.known_affected[] | select(test("kernel-rt"))], remediations_kernel_rt: [.vulnerabilities[0].remediations[].product_ids[] | select(test("kernel-rt"))]}' { "known_affected_kernel_rt": [ "red_hat_enterprise_linux_9:kernel-rt-selftests-internal", "red_hat_enterprise_linux_9:kernel-rt.src" ], "remediations_kernel_rt": [ "red_hat_enterprise_linux_9:kernel-rt-selftests-internal", "red_hat_enterprise_linux_9:kernel-rt.src" ] }
Only `kernel-rt-selftests-internal` and `kernel-rt.src` are listed. The main binary packages (`kernel-rt`, `kernel-rt-core`, `kernel-rt-debug`, etc.) are missing.
Note: The `kernel-rt` product is correctly defined in the product tree with a proper PURL (`pkg:rpm/redhat/kernel-rt` without `arch=src`), but it is not referenced in `known_affected` or `remediations`.
Expected Behavior
The `remediations` and `product_status.known_affected` should include all affected binary packages, not just source and internal packages.
For comparison, CVE-2024-53055 correctly includes 22 kernel-rt packages:
$ curl -s https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-53055.json | jq '[.vulnerabilities[0].remediations[] | select(.category == "none_available") | .product_ids[] | select(test("kernel-rt"))]' [ "red_hat_enterprise_linux_9:kernel-rt", "red_hat_enterprise_linux_9:kernel-rt-core", "red_hat_enterprise_linux_9:kernel-rt-debug", "red_hat_enterprise_linux_9:kernel-rt-debug-core", "red_hat_enterprise_linux_9:kernel-rt-debug-devel", "red_hat_enterprise_linux_9:kernel-rt-debug-devel-matched", "red_hat_enterprise_linux_9:kernel-rt-debug-kvm", "red_hat_enterprise_linux_9:kernel-rt-debug-modules", "red_hat_enterprise_linux_9:kernel-rt-debug-modules-core", "red_hat_enterprise_linux_9:kernel-rt-debug-modules-extra", "red_hat_enterprise_linux_9:kernel-rt-debug-modules-internal", "red_hat_enterprise_linux_9:kernel-rt-debug-modules-partner", "red_hat_enterprise_linux_9:kernel-rt-devel", "red_hat_enterprise_linux_9:kernel-rt-devel-matched", "red_hat_enterprise_linux_9:kernel-rt-kvm", "red_hat_enterprise_linux_9:kernel-rt-modules", "red_hat_enterprise_linux_9:kernel-rt-modules-core", "red_hat_enterprise_linux_9:kernel-rt-modules-extra", "red_hat_enterprise_linux_9:kernel-rt-modules-internal", "red_hat_enterprise_linux_9:kernel-rt-modules-partner", "red_hat_enterprise_linux_9:kernel-rt-selftests-internal", "red_hat_enterprise_linux_9:kernel-rt.src" ]
Result includes: `kernel-rt`, `kernel-rt-core`, `kernel-rt-debug`, `kernel-rt-debug-core`, etc.
Steps to reproduce
## 1. Fetch CVE-2022-49218: curl -s https://security.access.redhat.com/data/csaf/v2/vex/2022/cve-2022-49218.json -o cve-2022-49218.json ## 2. Check kernel-rt packages in remediations: jq '[.vulnerabilities[0].remediations[].product_ids[] | select(test("kernel-rt"))]' cve-2022-49218.json ## 3. Observe that only `kernel-rt-selftests-internal` and `kernel-rt.src` are listed. ## 4. Compare with CVE-2024-53055 which correctly lists all kernel-rt binary packages.
Impact Statement
When parsing CSAF VEX files for vulnerability scanning, the missing binary package references cause affected packages to not be detected. In the case of CVE-2022-49218, users running `kernel-rt` on RHEL9 would not be alerted to this vulnerability.
For reference, OVALv2 data correctly identifies `kernel-rt` as affected for this CVE.
Attachments & Links
- Affected CVE example:
- Working CVE example (for comparison):