Vulnerability Exploitability eXchange (VEX) beta files now available

Red Hat Product Security is pleased to announce that official Red Hat vulnerability data is now available in a new format called the Vulnerability Exploitability eXchange (VEX). In April 2023, we mentioned in an article titled “The future of Red Hat security data”, that Red Hat was working on providing a new security data format. This new format has been created to replace the old OVAL data format, which we aim to deprecate at the end of 2024.

Since February 2023, Red Hat has published Red Hat security advisories (RHSAs) in the CSAF format as an official, recommended authoritative source for Red Hat-released security patches. 

These advisories contain information about patched vulnerabilities (fixed status) for the particular product. They can also include information about components that are not affected by the specific vulnerability (known-not-affected status) that is patched in other components for the same specific product release. The VEX files that are now available also cover the unpatched data for all vulnerabilities (with an associated CVE ID) that potentially affect the Red Hat portfolio, which includes all products and their components.

Red Hat VEX beta files are available at: https://access.redhat.com/security/data/csaf/beta/vex/

What is VEX?

The Vulnerability Exploitability eXchange (VEX) is a profile in the CSAF security machine-readable data standard that allows vendors to assert whether specific vulnerabilities affect a product (product and its components). Not only does it state if they are affected but also what the remediation status is as it changes. A VEX profile covers the following statuses:

• Fixed: Information that the specific CVE is fixed in a particular product and components with a link to the released CSAF advisory
• Known Affected: Confirmation that the specific component and product is affected by a particular CVE and no fix is available
• Known Not Affected: Confirmation that the specific component and product are not affected by a particular CVE
• Under Investigation: Information that the Red Hat Product Security team is verifying the applicability and impact of a specific CVE to a particular product and component

By publishing data in the CSAF-VEX format, Red Hat can provide, without any further delays, transparent information in a machine-readable format about the applicability of a particular public CVE to all related products and their components. Red Hat’s VEX security data covers both RPM packages and also non-RPM related content in container images. For customers and security scanning vendors that use Red Hat security data, the new data provides them with more granular, accurate, and up-to-date information than the previous data formats.

Implementation details

As mentioned in the “The future of Red Hat security data” article, Red Hat releases VEX files for every single CVE that affects the Red Hat portfolio. The key difference between CSAF advisories and VEX files for every CVE is that the CSAF advisory covers two statuses (fixed and not affected) for one specific product release. The VEX file for a single CVE covers all security statuses for all potentially affected products and their components.

VEX files are dynamic and are updated each time new information is available, or there is a change in status for the specific product and component in correlation with the CVE, such as a released patch, a decision that a patch will not be released, or that component is not affected.

Similar to CSAF advisories published by Red Hat, VEX files meet the requirements of the trusted provider role as defined in the standard. All VEX files have an accompanying detached signature file to verify each VEX file's authenticity and a file containing the hash of the VEX file to ensure its integrity.

Understanding Red Hat VEX files

All VEX files generally consist of three major sections:

1. Document metadata
2. Product tree array
3. Vulnerability metadata

Document metadata

The document metadata is included in the "document": {...} object. This section contains basic information about the VEX file, vendor, release, and update dates. You can also find information about the overall vulnerability severity based on Red Hat's severity ratings. Here is an example of the document section:

"aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "moderate"
    }
"id": "CVE-2022-40152",
      "initial_release_date": "2022-09-16T00:00:00+00:00",
      "revision_history": [
        {
          "date": "2022-09-16T00:00:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-09-07T14:15:11+00:00",
          "number": "2",
          "summary": "Current version"
        }
      ],

Product tree array

The product tree array is included in the "product_tree": {...} object. This section contains information about the products, components, and their relationship. All products and their components are represented by individual branches. Product Streams are represented by the “product_name” category, for example:

"category": "product_name",
                "name": "Red Hat Enterprise Linux BaseOS (v. 8)",
                "product": {
                  "name": "Red Hat Enterprise Linux BaseOS (v. 8)",
                  "product_id": "BaseOS-8.6.0.GA",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:8::baseos"
                  }
                }
              },

Components are represented by the “product_version” category in the following way:

 "category": "product_version",
                "name": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src",
                "product": {
                  "name": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src",
                  "product_id": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/kernel-rt@4.18.0-372.9.1.rt7.166.el8?arch=src"
                  }
                }

The product-to-component relationship in the VEX file is represented in the following way:

"category": "default_component_of",
        "full_product_name": {
          "name": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src as a component of Red Hat Enterprise Linux BaseOS (v. 8)",
          "product_id": "BaseOS-8.6.0.GA:kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src"
        },
        "product_reference": "kernel-rt-0:4.18.0-372.9.1.rt7.166.el8.src",
        "relates_to_product_reference": "BaseOS-8.6.0.GA"
      },

It is important to notice that not every component contains the purl identifier in the Red Hat VEX files. Only components that have fixed versions (that is, address a vulnerability) include a purl identifier. If a fix has not yet been released for a vulnerability, identified by the status Known Affected, Known Not Affected, or Under Investigation, the component is identified by its name in the product_version object. Components that do not have a fix available in their Product Streams are assumed to be affected in all versions and associated with the provided status.

Vulnerability metadata

Vulnerability metadata is included in the "vulnerabilities": [...] object. This section contains the security status for all products and their components listed in the product tree section. This section also includes information about the CVE description and possible additional statements or mitigation steps. The potential mitigation options are associated with all products and their components, even if there are already released security patches for some components.
The following is an example of a fixed product status with a listing of relationship object IDs created in the product tree:

 "fixed": [
 "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.aarch64",
          "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.ppc64le",
          "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.s390x",
          "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.src",
          "BaseOS-8.6.0.GA:kernel-0:4.18.0-372.9.1.el8.x86_64",
]

With the associated remediations step and link to the Red Hat CSAF advisory:

"category": "vendor_fix"
"url": "https://access.redhat.com/errata/RHSA-2022:1988"

Affected products and their components may link to an explanatory remediation covering why a certain product may not have an available fix:

"known_affected": [
          "red_hat_enterprise_linux_6:kernel",
          "red_hat_enterprise_linux_7:kernel",
          "red_hat_enterprise_linux_7:kernel-rt"
        ],

{
          "category": "no_fix_planned",
          "details": "Out of support scope",
          "product_ids": [
            "red_hat_enterprise_linux_6:kernel",
            "red_hat_enterprise_linux_7:kernel",
            "red_hat_enterprise_linux_7:kernel-rt"
          ]
        }

The no_fix_planned category contains details why the patch will not be released. The patch will not be released in the above example because the product is already out of the support scope. When the affected product is still supported, but the vulnerability is rated as having a Low security impact, the product may not receive a fix for the given vulnerability. An example of this case is represented in the VEX file using the “no_fix_planned” category and “Will not fix” detail text:

{
          "category": "no_fix_planned",
          "details": "Will not fix",
          "product_ids": [
            "Openshift_pipelines:openshift-pipelines-client"
]
}

The vulnerabilities section also contains information about the CVSS metrics in the scores field. In the threats field, the impact category represents the Red Hat severity rating associated with the products and components pairs. If there is a known exploit for a particular vulnerability, information about it is included in the "exploit_status" category in this section.

Will there be future improvements in the security data?

The security data landscape is constantly changing, which is why there will be further improvements in Red Hat security data. Together with VEX files publication, Red Hat extended information available in the CSAF security advisories (RHSAs) by adding:

• information about active exploits, 
• purl identifiers for each component,
• information about vulnerability mitigations if any exist,
• information about an OS reboot being required after applying the changes of a given advisory.

In the future, we would like to add representation of product version ranges into our machine-readable data formats. Additionally, there are plans to extend the data by providing information about layered products and their relationship to the affected by specific vulnerability primary products and their components. All Red Hat security data changes are tracked in the Red Hat Security Data Changelog.

Please contact Red Hat Product Security with any questions regarding security data at secalert@redhat.com or file an issue in the public SECDATA Jira project.