-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
False
-
-
False
-
Important
-
Very Likely
-
0
Current Behavior
Example: CVE-2025-2487 (RHSA-2025:7395)
This is one of many affected CVEs. CSAF VEX data for RHSA-2025:7395 contains only 2 CPEs:
- cpe:/a:redhat:enterprise_linux:9::appstream
- cpe:/a:redhat:enterprise_linux:9::crb
The following CPEs are missing (59 out of 61 CPEs):
| Missing CPE Type | Examples |
|---|---|
| Base RHEL 9 components | `enterprise_linux:9::sap`, `enterprise_linux:9::sap_hana`, `enterprise_linux:9::highavailability`, `enterprise_linux:9::nfv`, `enterprise_linux:9::realtime`, `enterprise_linux:9::resilientstorage` |
| RHEL 9.6 EUS | `rhel_eus:9.6::appstream`, `rhel_eus:9.6::crb`, `rhel_eus:9.6::sap`, `rhel_eus:9.6::sap_hana` |
| RHEL 9.6 AUS | `rhel_aus:9.6::appstream`, `rhel_aus:9.6::baseos` |
| RHEL 9.6 E4S | `rhel_e4s:9.6::appstream`, `rhel_e4s:9.6::sap`, `rhel_e4s:9.6::sap_hana` |
| RHEL 9.8 EUS | `rhel_eus:9.8::appstream`, `rhel_eus:9.8::crb`, `rhel_eus:9.8::sap`, `rhel_eus:9.8::sap_hana` |
| RHEL 9.8 E4S | `rhel_e4s:9.8::appstream`, `rhel_e4s:9.8::sap`, `rhel_e4s:9.8::sap_hana` |
Expected Behavior
CSAF VEX should include the same CPEs as OVALv2 for the same advisory. For RHSA-2025:7395, OVALv2 includes 61 unique CPEs across 7 streams.
-
- rhel-9:`enterprise_linux:9::*`
- rhel-9.6-eus: `rhel_eus:9.6::*`
- rhel-9.6-aus: `rhel_aus:9.6::*`
- rhel-9.6-e4s: `rhel_e4s:9.6::*`
- rhel-9.8-eus :`rhel_eus:9.8::*`
- rhel-9.8-e4s: `rhel_e4s:9.8::*`
Examples of CPEs in OVALv2 but missing in CSAF VEX:
- `cpe:/a:redhat:enterprise_linux:9::sap`
- `cpe:/a:redhat:enterprise_linux:9::sap_hana`
- `cpe:/a:redhat:enterprise_linux:9::highavailability`
- `cpe:/a:redhat:enterprise_linux:9::nfv`
- `cpe:/a:redhat:rhel_eus:9.6::appstream`
- `cpe:/a:redhat:rhel_aus:9.6::appstream`
- `cpe:/a:redhat:rhel_e4s:9.6::appstream`
- `cpe:/a:redhat:rhel_eus:9.8::appstream`
- `cpe:/a:redhat:rhel_e4s:9.8::appstream`
- ... and 50+ more
Steps to Reproduce
1. Get CPEs from CSAF VEX for RHSA-2025:7395
$ curl -s "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-2487.json" | jq -r '.vulnerabilities[0].remediations[] | select(.url // "" | test("RHSA-2025:7395")) | .product_ids[]' | cut -d: -f1 | sort -u
AppStream-9.6.0.Z.MAIN.EUS
CRB-9.6.0.Z.MAIN.EUS
These 2 streams map to only 2 CPEs:
- `cpe:/a:redhat:enterprise_linux:9::appstream`
- `cpe:/a:redhat:enterprise_linux:9::crb`
Missing: `rhel_eus:9.6`, `rhel_aus:9.6`, `rhel_e4s:9.6`, and SAP/HA/NFV variants.
2. Compare with OVALv2
Base RHEL 9 (13 CPEs including SAP/HA/NFV):
https://github.com/aquasecurity/vuln-list-redhat/blob/6956279d67fa471b78e563ce416de4fe59962524/oval/9/rhel-9/definitions/2025/RHSA-2025%3A7395.json#L54-L68
Impact Statement
Vulnerability scanners relying on CSAF VEX data will fail to detect vulnerabilities for users running:
- RHEL 9 SAP, SAP HANA, HighAvailability, NFV, RealTime, ResilientStorage variants
- RHEL 9.6 EUS (Extended Update Support)
- RHEL 9.6 AUS (Advanced Update Support)
- RHEL 9.6 E4S (Update Services for SAP Solutions)
- RHEL 9.8 EUS (Extended Update Support)
- RHEL 9.8 E4S (Update Services for SAP Solutions)
- and probably more
Note: The above list is not comprehensive.
This affects enterprise customers who rely on these extended support offerings for mission-critical systems. Only 2 out of 61 CPEs (3%) are present in CSAF VEX.
Attachments & Links
- Red Hat Errata page: https://access.redhat.com/errata/RHSA-2025:7395
- CVE page: https://access.redhat.com/security/cve/CVE-2025-2487