Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-1177

CSAF VEX CPE Issue: Missing Variant Suffixes for Unfixed Vulnerabilities

XMLWordPrintable

    • Icon: Ticket Ticket
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Critical
    • Very Likely
    • 0

      Current Behavior

      CSAF VEX data for unfixed vulnerabilities only provides base CPEs without variant suffixes.

      For example, CVE-2024-0217 in CSAF VEX (`csaf-vex/2024/cve-2024-0217.json`):

       

      "product_identification_helper": {
  "cpe": "cpe:/o:redhat:enterprise_linux:8"
}

       

      Expected Behavior

      CSAF VEX should provide all specific CPEs with variant suffixes, similar to OVALv2 data.

      For example, CVE-2024-0217 in OVALv2:

      "AffectedCpeList": [
  "cpe:/a:redhat:enterprise_linux:8",
  "cpe:/a:redhat:enterprise_linux:8::appstream",
  "cpe:/a:redhat:enterprise_linux:8::crb",
  "cpe:/a:redhat:enterprise_linux:8::highavailability",
  "cpe:/a:redhat:enterprise_linux:8::nfv",
  "cpe:/a:redhat:enterprise_linux:8::realtime",
  "cpe:/a:redhat:enterprise_linux:8::resilientstorage",
  "cpe:/a:redhat:enterprise_linux:8::sap",
  "cpe:/a:redhat:enterprise_linux:8::sap_hana",
  "cpe:/a:redhat:enterprise_linux:8::supplementary",
  "cpe:/o:redhat:enterprise_linux:8",
  "cpe:/o:redhat:enterprise_linux:8::baseos"
]

      Steps to Reproduce

      $ curl -s https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-0217.json | jq '.product_tree.branches[0].branches[] | select(.name | contains("Linux 8")) | .branches[0].product.product_identification_helper.cpe'
"cpe:/o:redhat:enterprise_linux:8"

      Compare with OVALv2 data for the same CVE which includes all variant suffixes like `::baseos`, `::appstream`, etc.

      Impact Statement

      Vulnerability scanners that use CSAF VEX data cannot detect unfixed vulnerabilities in Red Hat product container images.

      This issue affects not only RHEL but also other Red Hat products. For example:

      Product OVALv2 CSAF VEX
      RHEL8 cpe:/o:redhat:enterprise_linux:8::baseos cpe:/o:redhat:enterprise_linux:8
      OpenShift cpe:/a:redhat:openshift:3.11::el7 cpe:/a:redhat:openshift:3.11

      Container images have specific CPEs derived from their repository content sets:

      • `rhel-8-for-x86_64-baseos-rpms` -> `cpe:/o:redhat:enterprise_linux:8::baseos`
      • `rhel-8-for-x86_64-appstream-rpms` -> `cpe:/a:redhat:enterprise_linux:8::appstream`

      Since CSAF VEX only provides `cpe:/o:redhat:enterprise_linux:8` (without `::baseos`), CPE matching fails and unfixed vulnerabilities are not reported.

      This affects all unfixed vulnerability statuses: "Affected", "Fix deferred", "Will not fix", "Out of support scope".

      Attachments & Links

              Unassigned Unassigned
              teppei.aqua Teppei Fukuda
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: