Red Hat and CVEs

What is a CVE?

CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE identification (ID) number [1].

Security advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems more secure.

The CVE system

CVE is overseen by the MITRE corporation with funding from the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security.

CVE entries are brief. They don’t include technical data, or information about risks, impacts, and fixes. Those details appear in other databases, including the U.S. National Vulnerability Database (NVD), the CERT/CC Vulnerability Notes Database, and various lists maintained by vendors and other organizations. Across these different systems, CVE IDs give users a reliable way to tell one unique security flaw from another.

How Red Hat works with CVEs

As a major contributor to open source software, Red Hat is continuously engaged in the security community. Red Hat is one of the leaders and contributors in the CVE Special Interest Group (industry group sponsored by MITRE).

Red Hat is also a CVE Numbering Authority (CNA) and uses CVE IDs to track security vulnerabilities. Red Hat Security maintains an open and frequently updated database of security updates, which you can view by CVE number.

Resources

Last updated