Search

Red Hat Vulnerability Exchange files for Common Vulnerabilities and Exposures are now widely accessible.

Share it

Red Hat’s Vulnerability Exploitability eXchange (VEX) files are now readily accessible to the public. These files hold crucial data regarding known vulnerabilities that impact the Red Hat portfolio. To access these files, head over to: https://access.redhat.com/security/data/csaf/v2/vex

Red Hat’s dedication to providing comprehensive security data has led to the development of VEX files for every individual CVE record related to Red Hat’s offerings. It’s a significant move towards centralizing security information and ensuring accuracy in vulnerability identification across all products.

Understanding VEX Files Content

The VEX files cover various statuses for components, including fixed, known affected, known not affected, and under investigation. This detailed breakdown allows for a nuanced view of the vulnerabilities associated with specific products.

Each VEX file comprises of key sections such as document metadata, product tree array, and vulnerability metadata. These sections are essential for providing a structured overview of the vulnerability data related to Red Hat products.

Significant Updates in VEX File Structure

The product tree structure within VEX files has been optimized for clarity. By organizing products and components hierarchically, navigating through the information becomes more straightforward. Additionally, a revision history and change tracking feature has been incorporated to keep users informed about any updates or modifications within the files.

Downloading CSAF and VEX Archives

For convenient access, Red Hat offers compressed CSAF and VEX archives that bundle all relevant documents. These archives are regularly updated and serve as a convenient resource for maintaining up-to-date security measures.

Package URLs Extension

With the latest modifications in the VEX General Availability (GA), Package URL identifiers are expanded to include unfixed components. This enhancement ensures a more comprehensive view of vulnerabilities, even for components still under investigation.

Transition to CSAF and VEX Data

As Red Hat shifts focus towards CSAF and VEX security data, the reliance on OVAL v2 content is gradually phased out. While OVAL v2 content will continue for core products, the future emphasis lies on utilizing the enriched and current CSAF and VEX files for heightened security measures.

It’s encouraged for all customers and scanning vendors to adopt the supported CSAF and VEX files provided by Red Hat Product Security for robust security vigilance. For any queries or assistance regarding security data, reach out to Red Hat Product Security at [email protected] or raise an issue in the public SECDATA Jira project.

For additional insights and detailed information, refer to the official Red Hat blog post: Red Hat VEX Files for CVEs are Now Generally Available

🤞 Don’t miss these tips!

🤞 Don’t miss these tips!

Solverwp- WordPress Theme and Plugin