A complete view of system vulnerabilities using Red Hat Insights

The Insights Vulnerability service allows users to assess, triage, prioritize and remediate the most critical vulnerabilities affecting their servers with the built-in threat intelligence and the integration to Red Hat Ansible Automation Platform. Over the course of the last few years, the Vulnerability service has been enhanced to continue to provide users with tremendous value. 

Red Hat Insights is a software-as-a-service (SaaS) offering, included with every Red Hat Enterprise Linux (RHEL) subscription. It continuously analyzes platforms and applications to help you manage your hybrid cloud environment and uses predictive analytics and deep domain expertise to reduce the time required to perform complex operational tasks from hours to minutes. This includes identifying security and performance risks, tracking subscription utilization and managing costs.

You can now view CVEs that do not have errata

Up until this point, the Insights Vulnerability service has only given users the ability to address and assess Common Vulnerabilities and Exposures (CVEs) that come with a Red Hat provided fix through errata or advisories, or those carrying the Security Rule label. However, an exciting new feature has been added with our latest feature release, expanding the scope of this service. Users can now engage with and evaluate CVEs that currently lack associated errata from Red Hat.

Let's look at the underlying reasons why certain CVEs might not yet have corresponding errata, or why there may be availability of errata in some versions of RHEL for a given CVE but not others:

1. Ongoing investigation and potential future fixes: The absence of an errata could stem from ongoing investigations by Red Hat into the specific CVE. There remains a possibility that a fix will be developed and provided in due course.
2. Risk evaluation and business justification: Red Hat may decide against delivering errata on a particular CVE due to an assessment of limited potential impact. As articulated by Red Hat's Vice President of Product Security, Vincent Danen, “most vulnerabilities have minimal opportunity to cause harm.” Business-wise, addressing each and every vulnerability as equally urgent may prove to be impractical and cost-prohibitive on a large scale.
3. End of support for vulnerable systems: Instances where a vulnerable system or operating system (OS) version is no longer supported could lead to a lack of corresponding fixes. We highly recommend you move to a newer version that is under support or adopt alternative protective measures.
4. Deferred fixes with varied reasons: Fixes for certain CVEs might be deferred for a variety of reasons, which could range from technical complexities to strategic considerations.

Considering the intricate interplay of these factors within the realm of CVEs and different RHEL versions, it's important to recognize that any combination of these circumstances could be contributing to the current landscape. Notwithstanding these complexities, we firmly believe that understanding the extent of your organization's exposure to CVEs, whether they have associated errata or not, remains a pivotal facet of proactive decision-making. This expanded feature gives you the data you need to make informed decisions and prioritize where you need to focus for your organization.

What are my options for dealing with CVEs without any errata?

Now that you have visibility into CVEs without associated errata or advisories, how should you approach this information?