Base Image Vulnerability and Health Tracking
A core component of containerizing applications is the base image which is used for building the application. Red Hat provides (RHEL and UBI), OCI-compliant container images which include the base operating system, middleware as well as complementary runtime languages for development in containerized environments The Base images are offered via the Red Hat Container Catalog and offer a supported path forward for development, relieving developers from the burden of maintaining and rebuilding the base image(s). With security in mind, understanding the support cycle of OS base images, identifying vulnerability data and understanding rebuild cycles and related processes can be a key in successful container adoption. The following information is a high level overview to provide information on identifying and tracking vulnerabilities in Red Hat base images as well as vulnerability tracking in general.
CVE vs CVSS vs RHSA
CVE - Common Vulnerabilities and Exposure
CVSS - Common Vulnerability Scoring System
Common Vulnerability Scoring System is an open framework for communicating the characteristics and severity of software vulnerabilities. Understanding CVSS (baseline) scores and how these are evaluated per vendor (In this case Red Hat) is an important factor for success when evaluating risk. Vendors may evaluate vulnerabilities with focus on their specific implementation and release vulnerability information specific to a base image, which also determines prioritization of a fix. CVSS is an overall score assigned to a vulnerability, which differs from the CVE itself.
RHSA - Red Hat Security Advisories
Red Hat Security Advisories document security flaws specifically in Red Hat products, including base images. Information such as specific severity, affected products, links to tickets and the like can be found in an RHSA.
Red Hat Determined Severity Ratings
Red Hat rates the severity of security issues using a four point scale (Low, Moderate, Important and Critical) as well as a separate CVSS base score.
A misinterpretation can take place when the CVSS score is high but the vendor specified vulnerability is a low rating. An example of a misinterpretation between CVSS score and vendor vulnerability rating would be a CVSS of 9 given to a particular vulnerability while a vendor rating may be “Low” due to the default configuration that Red Hat provides. The global CVSS is a baseline and the risk could be greatly reduced with vendor specific configurations, leading to a much lower risk. This is one example where we may see high CVSS scores and low vulnerability classification that does not reflect the high CVSS score.
Build, rebuild, distribute
The base RHEL and UBI Images build cycle:
- Built when a Critical or Important CVE is released: UBI container images are built wholly and completely from RHEL software packages. Critical and Important CVEs affecting software packages in RHEL, which are only a tiny subset of all of the changes released in RHEL, are patched and released as soon as possible, asynchronously from the standard release process, typically within hours or days. If one of these small numbers of Critical or Important CVEs affect an UBI container image, the image is automatically rebuilt and released, typically within hours or days.
- Built every 6 weeks: The vast majority of features, bug fixes and lower priority CVE fixes in RHEL are developed, built, tested, documented and released on a standardized 6 week release cadence. As a final step in this RHEL release process, all UBI container images are rebuilt and released.
- In-depth Red Hat Enterprise Linux Life Cycle information.
- Full details on the container support policy.
Researching Details and Tracking Risks
Vulnerabilities and fixes in Red Hat Products
A variety of data sources exist for researching vulnerabilities, risk and updates. It is recommended to utilize the vendor (Red Hat) supplied data as a source of truth. The following links are provided to assist in researching Red Hat security information and base image updates.
Finding Vulnerability Data
Below is a base image with vulnerabilities present. Utilize the “security” tab for the standalone image security data.
CVE’s present in the image are shown below. In the right hand column you can see the RHSA and a link to more information on the Advisory that provides synopsis, severity, description, solution, etc.
From the RHSA link, additional data is available for synopsis, type, solution, etc.
From the “fixes” link, there is public access to Bugzilla information and data that can be utilized to see what is taking place to resolve the issues. (It is important to note that moving forward JIRA may be adopted in some products.)
Using the dashboards and tooling above, customers can track base images and vulnerabilities and maintain better knowledge around the status of the base images utilized in their environment(s). Utilizing the Red Hat supplied base images, you remove the base OS maintenance from your development teams and rely on Red Hat as a trusted source for timely upgrades.