CVE Validation Skill

This skill validates CVE identifiers and checks remediation availability in Red Hat Lightspeed, ensuring CVEs are valid and remediable before investing effort in remediation planning.

Integration with Remediator Agent: The sre-agents:remediator agent (invoked) orchestrates this skill as part of its Step 2 (Validate CVE) workflow. For standalone CVE validation, you can invoke this skill directly.

Prerequisites

Required MCP Servers: lightspeed-mcp (setup guide)

Required MCP Tools:

• get_cve (from lightspeed-mcp) - Get CVE metadata and validation

Required Environment Variables:

• LIGHTSPEED_CLIENT_ID - Red Hat Lightspeed service account client ID
• LIGHTSPEED_CLIENT_SECRET - Red Hat Lightspeed service account secret

Prerequisite Validation

CRITICAL: Before executing any operations, invoke the mcp-lightspeed-validator skill to verify MCP server availability.

Validation freshness: Can skip if already validated in this session. See Validation Freshness Policy.

How to invoke:

Use the Skill tool:
  skill: "mcp-lightspeed-validator"

Handle validation result:

• If validation PASSED: Continue with CVE validation
• If validation PARTIAL: Warn user and ask to proceed
• If validation FAILED: Stop execution, provide setup instructions

When to Use This Skill

Use this skill directly when you need:

• Quick validation of CVE identifier format and existence
• Check if automated remediation is available
• Verify CVE metadata before analysis
• Validate CVE lists for batch operations

Use the sre-agents:remediator agent when you need:

• Full remediation workflow (validation + analysis + playbook + execution)
• Integrated CVE validation as part of remediation planning

How they work together: The sre-agents:remediator agent (invoked) invokes this skill early in the workflow to fail fast if a CVE is invalid or has no automated remediation, saving time and effort.

Workflow

Step 0: Validate Lightspeed MCP Prerequisites

Action: Invoke the mcp-lightspeed-validator skill

Note: Can skip if validation was performed earlier in this session and succeeded. See Validation Freshness Policy.

How to invoke:

Use the Skill tool:
  skill: "mcp-lightspeed-validator"

Handle validation result:

• If validation PASSED: Continue to Step 1
• If validation PARTIAL: Warn user and ask to proceed
• If validation FAILED: Stop execution, user must set up MCP server

Step 1: CVE Format Validation

Validate CVE identifier format before calling MCP tools:

CVE Format: CVE-YYYY-NNNNN
Where:
- YYYY = 4-digit year (1999-2026)
- NNNNN = 4-7 digit sequence number

Valid Examples:
- CVE-2024-1234
- CVE-2023-12345
- CVE-2021-1234567

Invalid Examples:
- CVE-24-1234 (year must be 4 digits)
- CVE-2024-ABC (sequence must be numeric)
- 2024-1234 (missing CVE- prefix)

Quick Regex Check:

Pattern: ^CVE-\d{4}-\d{4,7}$

If invalid format:
→ Return error immediately
→ Suggest format correction
→ Do not proceed to MCP tool calls

Step 2: CVE Metadata Retrieval

CRITICAL: Document consultation MUST happen BEFORE tool invocation.

Document Consultation (REQUIRED - Execute FIRST):

1. Action: Read vulnerability-logic.md using the Read tool to understand CVE validation criteria and remediation availability checks
2. Output to user: "I consulted vulnerability-logic.md to understand CVE validation criteria and remediation availability checks."

MCP Tool: get_cve or vulnerability__get_cve (from lightspeed-mcp)

Parameters:

• cve_id: Exact CVE identifier from user query (format: "CVE-YYYY-NNNNN")
  • Example: "CVE-2024-1234"
• include_details: true (retrieve complete metadata including remediation status)
• validate_format: true (confirm CVE format is correct before API call)

Expected Output: CVE metadata including CVSS score, severity, affected packages, remediation availability

Retrieve CVE metadata from Red Hat Lightspeed:

{
  "cve_id": "CVE-2024-1234",
  "cvss_score": 7.5,
  "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "severity": "Important",  # Red Hat severity rating
  "description": "A vulnerability in Apache HTTPD...",
  "published_date": "2024-01-15",
  "modified_date": "2024-01-20",

  "affected_packages": [
    {
      "name": "httpd",
      "version": "2.4.37-1.el8",
      "fixed_version": "2.4.37-2.el8"
    }
  ],

  "references": [
    "https://access.redhat.com/errata/RHSA-2024:1234",
    "https://nvd.nist.gov/vuln/detail/CVE-2024-1234"
  ],

  "cwe": "CWE-400: Uncontrolled Resource Consumption",

  "exploitability": "Proof of concept available",
  "remediation_available": true,  # KEY FIELD
  "reboot_required": false
}

Step 3: Validation Checks

CRITICAL: Document consultation MUST happen BEFORE validation logic.

Document Consultation (REQUIRED - Execute FIRST):

1. Action: Read cvss-scoring.md using the Read tool to understand Red Hat severity classification and CVSS score ranges
2. Output to user: "I consulted cvss-scoring.md to understand Red Hat severity classification and CVSS score ranges."

Perform comprehensive validation:

A. Existence Check:

✓ CVE exists in Red Hat CVE database
✗ CVE not found → Return error with suggestions

B. Red Hat Relevance Check:

✓ CVE affects RHEL systems
✗ CVE is Windows/macOS specific → Not applicable to RHEL

C. Severity Classification:

Red Hat Severity Levels:
- Critical (CVSS 9.0-10.0): Immediate action required
- Important (CVSS 7.0-8.9): Urgent remediation needed
- Moderate (CVSS 4.0-6.9): Plan remediation
- Low (CVSS 0.1-3.9): Low priority

D. Remediation Availability Check:

Key Question: Can Red Hat Lightspeed generate an automated playbook?

✓ remediation_available = true
  → Proceed with automated remediation
  → Use create_vulnerability_playbook tool

✗ remediation_available = false
  → Manual remediation required
  → Provide manual steps based on affected packages

E. Package Information Validation:

Check affected_packages array:
✓ Packages identified: httpd-2.4.37-1.el8
✓ Fixed version available: httpd-2.4.37-2.el8
✓ Package exists in RHEL repositories

This information will be used by playbook-generator skill.

Step 4: Return Validation Result

Return structured validation result:

{
  "validation_status": "valid",  # or "invalid", "not_found", "not_remediable"

  "cve_metadata": {
    "cve_id": "CVE-2024-1234",
    "cvss_score": 7.5,
    "severity": "Important",
    "description": "Brief description...",
    "published_date": "2024-01-15"
  },

  "remediation_status": {
    "automated_remediation_available": true,
    "reboot_required": false,
    "affected_packages": [
      {
        "name": "httpd",
        "current_version": "2.4.37-1.el8",
        "fixed_version": "2.4.37-2.el8"
      }
    ]
  },

  "recommendations": [
    "Automated remediation available via Red Hat Lightspeed",
    "No reboot required for this CVE",
    "Severity: Important - Urgent remediation recommended",
    "Test in staging environment before production deployment"
  ],

  "next_steps": [
    "Analyze CVE impact (use cve-impact skill)",
    "Gather system context (use system-context skill)",
    "Generate remediation playbook (use playbook-generator skill)"
  ]
}

Output Template

When completing CVE validation, provide output in this format:

# CVE Validation Result

## CVE: CVE-YYYY-NNNNN
**Status**: ✓ Valid

## CVE Information
**CVSS Score**: 7.5 (Important)
**Published**: 2024-01-15
**Description**: [Brief description of the vulnerability]

## Affected Packages
- httpd-2.4.37-1.el8 → httpd-2.4.37-2.el8 (fixed)

## Remediation Status
✓ **Automated Remediation Available**
✓ Package updates available
✗ Reboot NOT required

## Severity Assessment
**Red Hat Severity**: Important
**Priority**: P1 - Urgent remediation recommended
**Response Time**: Within 7 days

## Recommendations
1. Automated remediation available via Red Hat Lightspeed
2. No reboot required - minimal disruption
3. Test in staging environment first
4. Schedule deployment during change window

## Next Steps
1. Analyze CVE impact → Use cve-impact skill
2. Gather system context → Use system-context skill
3. Generate remediation playbook → Use playbook-generator skill
4. Execute remediation → Follow playbook instructions
5. Verify success → Use remediation-verifier skill

Examples

Example 1: Valid CVE with Automated Remediation

User Request: "Validate CVE-2024-1234"

Skill Response:

1. Check format → Valid (CVE-2024-1234)
2. Call get_cve → CVE found in database
3. Check remediation_available → true
4. Extract metadata → CVSS 7.5, Important severity, httpd package
5. Return: "Valid CVE, automated remediation available, proceed with workflow"

Example 2: Valid CVE, No Automated Remediation

User Request: "Validate CVE-2024-5678"

Skill Response:

1. Check format → Valid
2. Call get_cve → CVE found
3. Check remediation_available → false
4. Extract manual steps → Affected package: custom-app-1.0
5. Return: "Valid CVE but no automated playbook. Manual remediation required: yum update custom-app"

Example 3: Invalid CVE Format

User Request: "Validate CVE-24-1234"

Skill Response:

1. Check format → Invalid (year must be 4 digits)
2. Return error immediately without MCP call
3. Suggest correction: "Did you mean CVE-2024-1234?"

Example 4: CVE Not Found

User Request: "Validate CVE-2024-999999"

Skill Response:

1. Check format → Valid
2. Call get_cve → 404 Not Found
3. Return: "CVE not found in Red Hat database. Possible reasons: CVE too recent, doesn't affect RHEL, or invalid ID. Check NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-999999"

Example 5: Batch Validation

User Request: "Validate CVE-2024-1234, CVE-2024-5678, CVE-2024-9012"

Skill Response:

1. Validate each CVE sequentially
2. Return summary:
   • CVE-2024-1234: ✓ Valid, automated remediation available
   • CVE-2024-5678: ✓ Valid, manual remediation required
   • CVE-2024-9012: ✗ Invalid format (CVE-2024-90124 has too many digits)
3. Suggest: "Proceed with automated remediation for CVE-2024-1234, manual steps for CVE-2024-5678, correct format for third CVE"

Error Handling

CVE Format Invalid:

CVE Validation Failed: Invalid Format

Provided: CVE-24-1234
Expected Format: CVE-YYYY-NNNNN

Where:
- YYYY = 4-digit year (e.g., 2024)
- NNNNN = 4-7 digit sequence number

Suggestion: Did you mean CVE-2024-1234?

CVE Not Found in Database:

CVE Validation Failed: Not Found

CVE-YYYY-NNNNN was not found in the Red Hat CVE database.

Possible reasons:
1. CVE is too recent (not yet in Red Hat Lightspeed)
2. CVE doesn't affect RHEL systems (Windows/macOS specific)
3. CVE ID is incorrect or doesn't exist

Next steps:
1. Verify CVE ID at NVD: https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNNN
2. Check Red Hat Security Advisories: https://access.redhat.com/security/cve/CVE-YYYY-NNNNN
3. Wait 24-48 hours if CVE was just published

CVE Exists But No Automated Remediation:

CVE Validation: Valid (No Automated Remediation)

CVE-YYYY-NNNNN is valid but does not have an automated remediation playbook.

CVE Details:
- CVSS Score: X.X
- Severity: Important
- Affected Packages: package-name-version

Manual Remediation Required:

1. Update package manually:
   ```bash
   # RHEL 8/9
   sudo dnf update package-name

   # RHEL 7
   sudo yum update package-name

2. Restart service (if applicable):

   sudo systemctl restart service-name

3. Verify fix:

   package-name --version

Would you like me to create a manual playbook template based on these steps?

**API Access Error**:

CVE Validation Failed: API Access Error

Unable to access Red Hat Lightspeed API.

Possible causes:

• Network connectivity issue
• API authentication failure
• Lightspeed service temporarily unavailable

Troubleshooting:

1. Check network connectivity: ping console.redhat.com
2. Verify credentials: insights-client --status
3. Check Lightspeed service status: https://status.redhat.com
4. Retry in a few minutes

## Best Practices

1. **Validate format first** - Don't waste API calls on malformed CVE IDs
2. **Check remediation availability** - Fail fast if no automated remediation
3. **Batch validation efficiently** - Validate multiple CVEs in parallel when possible
4. **Provide clear next steps** - Guide users to appropriate next action
5. **Include manual steps** - Always provide manual remediation guidance if automated is unavailable
6. **Link to official sources** - Include NVD and Red Hat Security links
7. **Cache validation results** - Avoid redundant API calls for same CVE

## Dependencies

### Required MCP Servers
- `lightspeed-mcp` - Red Hat Lightspeed platform access

### Required MCP Tools
- `get_cve` (from lightspeed-mcp) - Get CVE metadata and validation
  - Parameters: cve_id (string, format CVE-YYYY-NNNNN), include_details (boolean), validate_format (boolean)
  - Returns: CVE metadata with CVSS score, severity, affected packages, remediation availability

### Related Skills
- `mcp-lightspeed-validator` - **PREREQUISITE** - Validates Lightspeed MCP server before operations
  - Use before: ALL cve-validation operations (Step 0 in workflow)
  - Purpose: Ensures MCP server is available before attempting tool calls

- `cve-impact` - Analyze CVE impact after validation
  - Use after: Step 4 when CVE is validated and user wants impact analysis
  - Purpose: Assess risk and affected systems for validated CVE

- `system-context` - Get system details after validating CVE affects systems
  - Use after: Validation confirms CVE has affected systems
  - Purpose: Understand deployment context before remediation

- `playbook-generator` - Generate remediation playbooks for validated CVEs
  - Use after: Validation confirms remediation_available = true
  - Purpose: Create automated remediation for valid, remediable CVEs

### Reference Documentation
- [vulnerability-logic.md](../../docs/insights/vulnerability-logic.md) - CVE validation criteria and remediation availability checks
- [cvss-scoring.md](../../docs/references/cvss-scoring.md) - Red Hat severity classification and CVSS score ranges
- [cve-remediation-templates.md](../../docs/ansible/cve-remediation-templates.md) - Manual remediation templates for CVEs without automated playbooks

## Tools Reference

This skill primarily uses:
- `get_cve` (vulnerability toolset) - Get CVE metadata from Red Hat Lightspeed

All tools are provided by the lightspeed-mcp MCP server configured in `.mcp.json`.

## Integration with Other Skills

- **cve-impact**: Validates CVE before performing impact analysis
- **playbook-generator**: Only generates playbooks for valid, remediable CVEs
- **system-context**: Only gathers context for valid CVEs
- **remediation-verifier**: Validates CVE was properly remediated

**Orchestration Example** (from sre-agents:remediator agent - invoked):
1. User requests remediation for CVE-2024-1234
2. Agent invokes cve-validation skill → Confirms valid and remediable
3. Agent invokes cve-impact skill → Risk assessment
4. Agent invokes system-context skill → Deployment architecture
5. Agent invokes playbook-generator skill → Creates playbook
6. User executes playbook
7. Agent invokes remediation-verifier skill → Confirms success

**Validation-First Pattern**:

Always validate CVE before expensive operations:
✓ CVE valid? → Proceed
✗ CVE invalid? → Stop, return error

This saves time and avoids:

• Unnecessary impact analysis
• Wasted system context gathering
• Failed playbook generation