Since Rocky is direct 1:1 with RHEL, then yes you can use the RHEL errata. Also, see this thread: Apollo, Errata, & You: a CIQ OSPO request for comment where there is ongoing work to get the Rocky errata up-to-date and maintained. At which point, once complete, you’ll be able to reference the Rocky errata.
You can also use commands like:
dnf changelog httpd | grep -i CVE
to see what CVE’s are fixed. You can be more verbose, and put a full/partial CVE number to check. Like using your openssh example for Rocky8:
[root@rocky8 ~]# dnf changelog openssh | grep 38408
Related: CVE-2023-38408
Resolves: CVE-2023-38408