CVE Impact Analysis Skill

This skill helps SREs analyze CVE vulnerabilities to understand their impact on systems before creating remediation playbooks.

Integration with Remediator Agent: The sre-agents:remediator agent (invoked) orchestrates this skill as part of its Step 1 (Impact Analysis) workflow for complex remediation scenarios. For simple standalone impact analysis, you can invoke this skill directly.

Prerequisites

Required MCP Servers: lightspeed-mcp (setup guide)

Required MCP Tools:

• get_cves (from lightspeed-mcp) - List/query CVEs by severity
• get_cve (from lightspeed-mcp) - Get specific CVE details
• get_cve_systems (from lightspeed-mcp) - Find systems affected by CVEs

Required Environment Variables:

• LIGHTSPEED_CLIENT_ID - Red Hat Lightspeed service account client ID
• LIGHTSPEED_CLIENT_SECRET - Red Hat Lightspeed service account secret

Prerequisite Validation

CRITICAL: Before executing any operations, invoke the mcp-lightspeed-validator skill to verify MCP server availability.

Validation freshness: Can skip if already validated in this session. See Validation Freshness Policy.

How to invoke:

Use the Skill tool:
  skill: "mcp-lightspeed-validator"

Handle validation result:

• If validation PASSED: Continue with CVE impact analysis
• If validation PARTIAL: Warn user and ask to proceed
• If validation FAILED: Stop execution, provide setup instructions

When to Use This Skill

Use this skill directly when you need:

• Standalone CVE impact analysis without remediation planning
• Quick risk assessment for a single CVE
• Understanding which systems are affected by a CVE
• CVE severity assessments for change management documentation
• Risk assessment reports for management

Use the sre-agents:remediator agent when you need:

• CVE analysis followed by remediation playbook generation
• Complex workflows involving multiple CVEs and systems
• Integrated risk assessment + remediation planning + execution guidance
• Batch remediation across infrastructure
• End-to-end CVE management (analysis → validation → remediation → verification)

To invoke: Use the sre-agents:remediator agent

How they work together: The sre-agents:remediator agent orchestrates this skill as part of its comprehensive workflow, combining impact analysis with context gathering, playbook generation, and execution guidance. The agent uses the skill's analysis capabilities and extends them with remediation planning.

Workflow

Step 0: Validate Lightspeed MCP Prerequisites

Action: Invoke the mcp-lightspeed-validator skill

Note: Can skip if validation was performed earlier in this session and succeeded. See Validation Freshness Policy.

How to invoke:

Use the Skill tool:
  skill: "mcp-lightspeed-validator"

Handle validation result:

• If validation PASSED: Continue to Step 1
• If validation PARTIAL: Warn user and ask to proceed
• If validation FAILED: Stop execution, user must set up MCP server

Step 1: List Critical CVEs (Optional - For Discovery Queries)

Use this step when users ask: "What are the critical vulnerabilities?", "Show me high-severity CVEs", "List all vulnerabilities on my account"

CRITICAL: Document consultation MUST happen BEFORE tool invocation.

Document Consultation (REQUIRED - Execute FIRST):

1. Action: Read vulnerability-logic.md using the Read tool to understand CVE severity classification and filtering logic
2. Output to user: "I consulted vulnerability-logic.md to understand CVE severity classification and filtering."

MCP Tool: get_cves or vulnerability__get_cves (from lightspeed-mcp)

Parameters:

• impact: "7,6" (string with comma-separated impact levels where 7=Important, 6=Moderate, 5=Low)
• sort: "-cvss_score" (sort by field with - prefix for descending order; valid fields: "cvss_score", "public_date")
• limit: 20 (maximum number of CVEs to return)

Expected Output: List of CVEs with metadata (CVE ID, CVSS score, severity, affected system count, remediation availability)

Retrieve all CVEs affecting the account, filtered by severity:

# Get all CVEs with Important and Moderate severity (impact levels 7, 6)
# Sorted by CVSS score descending
get_cves(
  impact="7,6",
  sort="-cvss_score",
  limit=20
)

# Example tool invocation after document consultation:
# Step 1: Read vulnerability-logic.md (required)
# Step 2: Output "I consulted..." message (required)
# Step 3: Call MCP tool with correct parameters:

vulnerability__get_cves(
  impact="7,6",
  sort="-cvss_score",
  limit=20
)

# Expected output:
CVE-2024-1234 (CVSS 9.8, Important) - kernel
  Affected systems: 15
  Remediation: Available

CVE-2024-5678 (CVSS 8.1, Important) - httpd
  Affected systems: 8
  Remediation: Available

CVE-2024-9012 (CVSS 7.5, Important) - openssl
  Affected systems: 25
  Remediation: Available

After listing CVEs:

• Sort by CVSS score (highest first) or by number of affected systems
• Provide summary table with CVE ID, severity, affected systems count, remediation availability
• Offer to analyze any specific CVE in detail (use Step 1 below)
• Offer to create remediation plan (invoke the sre-agents:remediator agent)

Step 2: CVE Information Retrieval (For Specific CVE Analysis)

CRITICAL: Document consultation MUST happen BEFORE tool invocation.

Document Consultation (REQUIRED - Execute FIRST):

1. Action: Read cvss-scoring.md using the Read tool to understand CVSS score interpretation and severity mapping
2. Output to user: "I consulted cvss-scoring.md to understand CVSS score interpretation and severity mapping."

MCP Tool: get_cve or vulnerability__get_cve (from lightspeed-mcp)

Parameters:

• cve_id: Exact CVE identifier from user query (format: "CVE-YYYY-NNNNN")
  • Example: "CVE-2024-1234"
• include_details: true (retrieve complete metadata including CVSS vector, affected packages, references)

Expected Output: Comprehensive CVE metadata including CVSS score, severity, attack vector, affected packages, remediation status

Retrieve comprehensive CVE metadata:

CVE ID: CVE-YYYY-NNNNN
CVSS Score: X.X (Base score from NIST)
Severity: Critical/High/Medium/Low
Attack Vector: Network/Adjacent/Local/Physical
Attack Complexity: Low/High
Privileges Required: None/Low/High
User Interaction: None/Required
Scope: Unchanged/Changed
Confidentiality Impact: None/Low/High
Integrity Impact: None/Low/High
Availability Impact: None/Low/High

Description: [CVE description from NVD/Red Hat]
Affected Packages: [List of packages and versions]
Published Date: YYYY-MM-DD
Last Modified: YYYY-MM-DD

Step 3: Affected Systems Identification

CRITICAL: Document consultation MUST happen BEFORE tool invocation.

Document Consultation (REQUIRED - Execute FIRST):

1. Action: Read insights-api.md using the Read tool to understand the system identification response format
2. Output to user: "I consulted insights-api.md to understand the system identification response format."

MCP Tool: get_cve_systems or vulnerability__get_cve_systems (from lightspeed-mcp)

Parameters:

• cve_id: Exact CVE identifier (format: "CVE-YYYY-NNNNN")
  • Example: "CVE-2024-1234"
• include_patched: false (exclude already-patched systems to focus on vulnerable systems)

Expected Output: List of affected systems with UUID, hostname, IP address, package version, vulnerability status

Identify which systems in your infrastructure are affected by the CVE:

Affected Systems:
- system-uuid-1 (hostname: web-server-01, IP: 10.0.1.10)
  - Package: httpd-2.4.37-1.el8
  - Status: Vulnerable

- system-uuid-2 (hostname: web-server-02, IP: 10.0.1.11)
  - Package: httpd-2.4.37-1.el8
  - Status: Vulnerable

Total Affected Systems: N

Step 4: System Classification

CRITICAL: Document consultation MUST happen BEFORE classification logic.

Document Consultation (REQUIRED - Execute FIRST):

1. Action: Read fleet-management.md using the Read tool to understand system tagging and classification strategies
2. Output to user: "I consulted fleet-management.md to understand system tagging and classification strategies."

Classify affected systems by environment and criticality based on tags from Red Hat Lightspeed:

System Classification:
- Production systems: N (highest priority)
- Staging systems: M (test before prod)
- Development systems: K (lowest priority)
- Bare metal: X systems
- Virtual machines: Y systems

Step 5: Risk Assessment

CRITICAL: Document consultation MUST happen BEFORE risk assessment.

Document Consultation (REQUIRED - Execute FIRST):

1. Action: Read cvss-scoring.md using the Read tool to understand risk prioritization based on CVSS vectors
2. Output to user: "I consulted cvss-scoring.md to understand risk prioritization based on CVSS vectors."

Provide a risk assessment based on:

• CVSS score and severity
• Number of affected systems
• System criticality (production vs non-production)
• Attack vector and exploitability
• Known exploits in the wild

Output Format:

Risk Assessment Summary
━━━━━━━━━━━━━━━━━━━━━━━

Overall Risk Level: Critical/High/Medium/Low

Factors:
✓ CVSS Score: X.X (Severity: High)
✓ Affected Systems: N systems
✓ Environment: Production (Critical)
✓ Attack Vector: Network (Remote exploitable)
✓ Exploitability: Proof-of-concept exists
✓ User Interaction: None required

Recommendation: Immediate remediation recommended
Priority: P0 (within 24 hours) / P1 (within 7 days) / P2 (within 30 days)

Step 6: Impact Analysis

Analyze the potential business impact:

Impact Analysis
━━━━━━━━━━━━━━━━━━━━━━━

Service Impact:
- Web services (web-server-01, web-server-02): High availability risk
- API endpoints: Potential data exposure

Business Impact:
- Confidentiality: Customer data could be exposed
- Integrity: System files could be modified
- Availability: Service disruption possible

Compliance Impact:
- PCI-DSS: Non-compliance if not remediated
- SOC 2: Control failure

Step 7: Remediation Readiness Check

Check if remediation is available:

Remediation Availability
━━━━━━━━━━━━━━━━━━━━━━━

✓ Automated Playbook: Available
✓ Package Update: httpd-2.4.37-2.el8 (fixed version)
✓ Reboot Required: No
✓ Estimated Downtime: < 5 minutes per system

OR

✗ Automated Playbook: Not available
✓ Manual Steps Required: Yes
  1. Update package manually: yum update httpd
  2. Restart service: systemctl restart httpd
  3. Verify fix: httpd -v

Output Template

When completing a CVE impact analysis, provide output in this format:

# CVE Impact Analysis Report

## CVE Information
**CVE ID**: CVE-YYYY-NNNNN
**CVSS Score**: X.X
**Severity**: Critical/High/Medium/Low
**Published**: YYYY-MM-DD

**Description**:
[Brief description of the vulnerability]

**Affected Packages**:
- package-name version-range

## Affected Systems
**Total Systems**: N

| System | Hostname | Environment | Package | Status |
|--------|----------|-------------|---------|--------|
| uuid-1 | server-01 | Production | httpd-2.4.37 | Vulnerable |
| uuid-2 | server-02 | Production | httpd-2.4.37 | Vulnerable |

## Risk Assessment
**Overall Risk**: Critical/High/Medium/Low
**Priority**: P0/P1/P2
**Recommendation**: [Immediate remediation / Schedule maintenance / Monitor]

**Key Factors**:
- Attack Vector: [Network/Local/etc]
- Exploitability: [Known exploits / PoC available / Theoretical]
- Impact: [High/Medium/Low]

## Business Impact
- **Confidentiality**: [Impact description]
- **Integrity**: [Impact description]
- **Availability**: [Impact description]

## Remediation Options
- ✓ Automated playbook available
- ✓ Manual steps documented
- ⚠ Requires testing in staging first
- ⚠ Maintenance window recommended

## Next Steps
1. [ ] Approve remediation plan
2. [ ] Schedule maintenance window (if needed)
3. [ ] Create remediation playbook (use sre-agents:remediator agent)
4. [ ] Test in staging environment
5. [ ] Execute in production
6. [ ] Verify remediation success

Examples

Example 0: List Critical Vulnerabilities (Discovery Query)

User Request: "What are the most critical vulnerabilities on my account?"

Skill Response:

1. Call get_cves(severity=["Critical", "Important"], sort_by="cvss_score", limit=20)
2. Parse and sort results by CVSS score
3. Return summary table:

# Critical Vulnerabilities Summary

Found 12 Critical/Important CVEs affecting your systems:

| CVE ID | CVSS | Severity | Affected Systems | Remediation | Priority |
|--------|------|----------|------------------|-------------|----------|
| CVE-2024-1234 | 9.8 | Critical | 15 systems | Available | P0 - Immediate |
| CVE-2024-5678 | 8.1 | Important | 8 systems | Available | P1 - 7 days |
| CVE-2024-9012 | 7.5 | Important | 25 systems | Available | P1 - 7 days |
| ... | ... | ... | ... | ... | ... |

**Recommendations**:
- CVE-2024-1234: Immediate remediation required (CVSS 9.8, network exploitable)
- CVE-2024-5678: Schedule remediation within 7 days
- CVE-2024-9012: High system count (25 systems) - consider batch remediation

**Next Steps**:
- Analyze any specific CVE for details: "Analyze CVE-2024-1234"
- Create remediation plan: "Remediate CVE-2024-1234 on all affected systems"

4. Wait for user to request specific CVE analysis or remediation
5. If user says "remediate CVE-X", respond: "I'll transition to the sre-agents:remediator agent to create the remediation playbook" (invoke the sre-agents:remediator agent)

Example 1: High-Severity CVE Analysis

User Request: "Analyze the impact of CVE-2024-1234"

Skill Response:

1. Retrieve CVE details using get_cve
2. List affected systems using get_cve_systems
3. Classify systems by environment and criticality
4. Provide risk assessment and recommendations
5. Suggest next steps (use sre-agents:remediator agent if remediation needed)

Example 2: Multiple CVE Comparison

User Request: "Compare the impact of CVE-2024-1234 and CVE-2024-5678"

Skill Response:

1. Retrieve details for both CVEs
2. Create comparison table (CVSS, severity, affected systems)
3. Recommend prioritization order
4. Suggest batch remediation if both should be fixed together

Example 3: Environment-Specific Analysis

User Request: "Which production systems are affected by CVE-2024-1234?"

Skill Response:

1. Retrieve CVE details
2. Filter affected systems by environment tag
3. Provide production-specific impact assessment
4. Include business impact analysis for production services

Integration with Remediator Agent

After completing impact analysis, the skill should:

1. Suggest transition to remediation if risk is high:

   Based on this analysis, immediate remediation is recommended.
   
   Would you like me to create a remediation playbook?
   (This will invoke the sre-agents:remediator agent)

2. Provide context for remediation:

   • CVE ID
   • Affected system UUIDs
   • Recommended execution method (AAP/Tower/Manual)
   • Suggested maintenance window

Error Handling

CVE not found:

CVE-YYYY-NNNNN was not found in the Red Hat CVE database.

Possible reasons:
- CVE ID is incorrect
- CVE is too recent and not yet in database
- CVE doesn't affect RHEL systems

Suggestions:
- Verify CVE ID format (CVE-YYYY-NNNNN)
- Check NVD database: https://nvd.nist.gov/vuln/search
- Try alternative CVE IDs if this is an alias

No affected systems:

CVE-YYYY-NNNNN Analysis Complete

Good news! No systems in your infrastructure are affected by this CVE.

Possible reasons:
- Your systems are already patched
- Affected packages are not installed
- Systems are running different versions

No action required.

Best Practices

1. Always start with risk assessment before deciding on remediation
2. Check for known exploits using CVE description and references
3. Consider business impact not just CVSS scores
4. Group related CVEs for batch remediation when possible
5. Document findings for compliance and audit purposes
6. Test in staging first for high-impact changes

Dependencies

Required MCP Servers

• lightspeed-mcp - Red Hat Lightspeed platform access

Required MCP Tools

• get_cves (from lightspeed-mcp) - List/query CVEs by severity and filters

  • Parameters: severity (array), sort_by (string), limit (number)
  • Returns: List of CVEs with CVSS scores, severity, affected systems count

• get_cve (from lightspeed-mcp) - Get specific CVE details

  • Parameters: cve_id (string, format CVE-YYYY-NNNNN), include_details (boolean)
  • Returns: Complete CVE metadata with CVSS vector, affected packages, references

• get_cve_systems (from lightspeed-mcp) - Find systems affected by CVE

  • Parameters: cve_id (string), include_patched (boolean)
  • Returns: List of affected systems with UUID, hostname, package version, status

Related Skills

• mcp-lightspeed-validator - PREREQUISITE - Validates Lightspeed MCP server before operations

  • Use before: ALL cve-impact operations (Step 0 in workflow)
  • Purpose: Ensures MCP server is available before attempting tool calls

• cve-validation - Validate CVE IDs before impact analysis

  • Use before: Step 2 if CVE format/existence is uncertain
  • Purpose: Confirms CVE is valid and remediable before expensive analysis

• system-context - Get detailed system configuration after identifying affected systems

  • Use after: Step 3 when deeper system investigation is needed
  • Purpose: Understand deployment architecture for remediation planning

• fleet-inventory - Get comprehensive fleet information before CVE analysis

  • Use before: Step 1 when starting from fleet discovery
  • Purpose: Understand overall infrastructure before assessing CVE impact

Reference Documentation

• cvss-scoring.md - CVSS score interpretation and severity mapping
• vulnerability-logic.md - CVE severity classification and filtering
• insights-api.md - System identification response format
• fleet-management.md - System tagging and classification strategies

Tools Reference

This skill primarily uses:

• get_cve (vulnerability toolset) - Get details about a specific CVE
• get_cve_systems (vulnerability toolset) - Get list of systems affected by a CVE
• get_cves (vulnerability toolset) - Get list of all CVEs affecting the account (optional)
• get_system_cves (vulnerability toolset) - Get list of CVEs affecting a specific system (optional)
• get_host_details (inventory toolset) - Get detailed system information (optional)

All tools are provided by the lightspeed-mcp MCP server configured in .mcp.json.