CVE Validation Skill

This skill validates CVE identifiers and checks remediation availability in Red Hat Insights, ensuring CVEs are valid and remediable before investing effort in remediation planning.

Integration with Remediator Agent: The remediator agent orchestrates this skill as part of its Step 2 (Validate CVE) workflow. For standalone CVE validation, you can invoke this skill directly.

When to Use This Skill

Use this skill directly when you need:

• Quick validation of CVE identifier format and existence
• Check if automated remediation is available
• Verify CVE metadata before analysis
• Validate CVE lists for batch operations

Use the remediator agent when you need:

• Full remediation workflow (validation + analysis + playbook + execution)
• Integrated CVE validation as part of remediation planning

How they work together: The remediator agent invokes this skill early in the workflow to fail fast if a CVE is invalid or has no automated remediation, saving time and effort.

Workflow

1. CVE Format Validation

Validate CVE identifier format before calling MCP tools:

CVE Format: CVE-YYYY-NNNNN
Where:
- YYYY = 4-digit year (1999-2026)
- NNNNN = 4-7 digit sequence number

Valid Examples:
- CVE-2024-1234
- CVE-2023-12345
- CVE-2021-1234567

Invalid Examples:
- CVE-24-1234 (year must be 4 digits)
- CVE-2024-ABC (sequence must be numeric)
- 2024-1234 (missing CVE- prefix)

Quick Regex Check:

Pattern: ^CVE-\d{4}-\d{4,7}$

If invalid format:
→ Return error immediately
→ Suggest format correction
→ Do not proceed to MCP tool calls

2. CVE Metadata Retrieval

MCP Tool: get_cve (from insights-mcp vulnerability toolset)

Retrieve CVE metadata from Red Hat Insights:

{
  "cve_id": "CVE-2024-1234",
  "cvss_score": 7.5,
  "cvss_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "severity": "Important",  # Red Hat severity rating
  "description": "A vulnerability in Apache HTTPD...",
  "published_date": "2024-01-15",
  "modified_date": "2024-01-20",

  "affected_packages": [
    {
      "name": "httpd",
      "version": "2.4.37-1.el8",
      "fixed_version": "2.4.37-2.el8"
    }
  ],

  "references": [
    "https://access.redhat.com/errata/RHSA-2024:1234",
    "https://nvd.nist.gov/vuln/detail/CVE-2024-1234"
  ],

  "cwe": "CWE-400: Uncontrolled Resource Consumption",

  "exploitability": "Proof of concept available",
  "remediation_available": true,  # KEY FIELD
  "reboot_required": false
}

3. Validation Checks

Perform comprehensive validation:

A. Existence Check:

✓ CVE exists in Red Hat CVE database
✗ CVE not found → Return error with suggestions

B. Red Hat Relevance Check:

✓ CVE affects RHEL systems
✗ CVE is Windows/macOS specific → Not applicable to RHEL

C. Severity Classification:

Red Hat Severity Levels:
- Critical (CVSS 9.0-10.0): Immediate action required
- Important (CVSS 7.0-8.9): Urgent remediation needed
- Moderate (CVSS 4.0-6.9): Plan remediation
- Low (CVSS 0.1-3.9): Low priority

D. Remediation Availability Check:

Key Question: Can Red Hat Insights generate an automated playbook?

✓ remediation_available = true
  → Proceed with automated remediation
  → Use create_vulnerability_playbook tool

✗ remediation_available = false
  → Manual remediation required
  → Provide manual steps based on affected packages

E. Package Information Validation:

Check affected_packages array:
✓ Packages identified: httpd-2.4.37-1.el8
✓ Fixed version available: httpd-2.4.37-2.el8
✓ Package exists in RHEL repositories

This information will be used by playbook-generator skill.

4. Return Validation Result

Return structured validation result:

{
  "validation_status": "valid",  # or "invalid", "not_found", "not_remediable"

  "cve_metadata": {
    "cve_id": "CVE-2024-1234",
    "cvss_score": 7.5,
    "severity": "Important",
    "description": "Brief description...",
    "published_date": "2024-01-15"
  },

  "remediation_status": {
    "automated_remediation_available": true,
    "reboot_required": false,
    "affected_packages": [
      {
        "name": "httpd",
        "current_version": "2.4.37-1.el8",
        "fixed_version": "2.4.37-2.el8"
      }
    ]
  },

  "recommendations": [
    "Automated remediation available via Red Hat Insights",
    "No reboot required for this CVE",
    "Severity: Important - Urgent remediation recommended",
    "Test in staging environment before production deployment"
  ],

  "next_steps": [
    "Analyze CVE impact (use cve-impact skill)",
    "Gather system context (use system-context skill)",
    "Generate remediation playbook (use playbook-generator skill)"
  ]
}

Output Template

When completing CVE validation, provide output in this format:

# CVE Validation Result

## CVE: CVE-YYYY-NNNNN
**Status**: ✓ Valid

## CVE Information
**CVSS Score**: 7.5 (Important)
**Published**: 2024-01-15
**Description**: [Brief description of the vulnerability]

## Affected Packages
- httpd-2.4.37-1.el8 → httpd-2.4.37-2.el8 (fixed)

## Remediation Status
✓ **Automated Remediation Available**
✓ Package updates available
✗ Reboot NOT required

## Severity Assessment
**Red Hat Severity**: Important
**Priority**: P1 - Urgent remediation recommended
**Response Time**: Within 7 days

## Recommendations
1. Automated remediation available via Red Hat Insights
2. No reboot required - minimal disruption
3. Test in staging environment first
4. Schedule deployment during change window

## Next Steps
1. Analyze CVE impact → Use cve-impact skill
2. Gather system context → Use system-context skill
3. Generate remediation playbook → Use playbook-generator skill
4. Execute remediation → Follow playbook instructions
5. Verify success → Use remediation-verifier skill

Examples

Example 1: Valid CVE with Automated Remediation

User Request: “Validate CVE-2024-1234”

Skill Response:

1. Check format → Valid (CVE-2024-1234)
2. Call get_cve → CVE found in database
3. Check remediation_available → true
4. Extract metadata → CVSS 7.5, Important severity, httpd package
5. Return: “Valid CVE, automated remediation available, proceed with workflow”

Example 2: Valid CVE, No Automated Remediation

User Request: “Validate CVE-2024-5678”

Skill Response:

1. Check format → Valid
2. Call get_cve → CVE found
3. Check remediation_available → false
4. Extract manual steps → Affected package: custom-app-1.0
5. Return: “Valid CVE but no automated playbook. Manual remediation required: yum update custom-app”

Example 3: Invalid CVE Format

User Request: “Validate CVE-24-1234”

Skill Response:

1. Check format → Invalid (year must be 4 digits)
2. Return error immediately without MCP call
3. Suggest correction: “Did you mean CVE-2024-1234?”

Example 4: CVE Not Found

User Request: “Validate CVE-2024-999999”

Skill Response:

1. Check format → Valid
2. Call get_cve → 404 Not Found
3. Return: “CVE not found in Red Hat database. Possible reasons: CVE too recent, doesn’t affect RHEL, or invalid ID. Check NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-999999“

Example 5: Batch Validation

User Request: “Validate CVE-2024-1234, CVE-2024-5678, CVE-2024-9012”

Skill Response:

1. Validate each CVE sequentially
2. Return summary:
   • CVE-2024-1234: ✓ Valid, automated remediation available
   • CVE-2024-5678: ✓ Valid, manual remediation required
   • CVE-2024-9012: ✗ Invalid format (CVE-2024-90124 has too many digits)
3. Suggest: “Proceed with automated remediation for CVE-2024-1234, manual steps for CVE-2024-5678, correct format for third CVE”

Error Handling

CVE Format Invalid:

CVE Validation Failed: Invalid Format

Provided: CVE-24-1234
Expected Format: CVE-YYYY-NNNNN

Where:
- YYYY = 4-digit year (e.g., 2024)
- NNNNN = 4-7 digit sequence number

Suggestion: Did you mean CVE-2024-1234?

CVE Not Found in Database:

CVE Validation Failed: Not Found

CVE-YYYY-NNNNN was not found in the Red Hat CVE database.

Possible reasons:
1. CVE is too recent (not yet in Red Hat Insights)
2. CVE doesn't affect RHEL systems (Windows/macOS specific)
3. CVE ID is incorrect or doesn't exist

Next steps:
1. Verify CVE ID at NVD: https://nvd.nist.gov/vuln/detail/CVE-YYYY-NNNNN
2. Check Red Hat Security Advisories: https://access.redhat.com/security/cve/CVE-YYYY-NNNNN
3. Wait 24-48 hours if CVE was just published

CVE Exists But No Automated Remediation:

CVE Validation: Valid (No Automated Remediation)

CVE-YYYY-NNNNN is valid but does not have an automated remediation playbook.

CVE Details:
- CVSS Score: X.X
- Severity: Important
- Affected Packages: package-name-version

Manual Remediation Required:

1. Update package manually:
   ```bash
   # RHEL 8/9
   sudo dnf update package-name

   # RHEL 7
   sudo yum update package-name

2. Restart service (if applicable):

   sudo systemctl restart service-name
   

3. Verify fix:

   package-name --version
   

Would you like me to create a manual playbook template based on these steps?

**API Access Error**:

CVE Validation Failed: API Access Error

Unable to access Red Hat Insights API.

Possible causes:

• Network connectivity issue
• API authentication failure
• Insights service temporarily unavailable

Troubleshooting:

1. Check network connectivity: ping console.redhat.com
2. Verify credentials: insights-client –status
3. Check Insights service status: https://status.redhat.com
4. Retry in a few minutes

## Best Practices

1. **Validate format first** - Don't waste API calls on malformed CVE IDs
2. **Check remediation availability** - Fail fast if no automated remediation
3. **Batch validation efficiently** - Validate multiple CVEs in parallel when possible
4. **Provide clear next steps** - Guide users to appropriate next action
5. **Include manual steps** - Always provide manual remediation guidance if automated is unavailable
6. **Link to official sources** - Include NVD and Red Hat Security links
7. **Cache validation results** - Avoid redundant API calls for same CVE

## Tools Reference

This skill primarily uses:
- `get_cve` (vulnerability toolset) - Get CVE metadata from Red Hat Insights

All tools are provided by the insights-mcp MCP server configured in `.mcp.json`.

## Integration with Other Skills

- **cve-impact**: Validates CVE before performing impact analysis
- **playbook-generator**: Only generates playbooks for valid, remediable CVEs
- **system-context**: Only gathers context for valid CVEs
- **remediation-verifier**: Validates CVE was properly remediated

**Orchestration Example** (from remediator agent):
1. User requests remediation for CVE-2024-1234
2. Agent invokes cve-validation skill → Confirms valid and remediable
3. Agent invokes cve-impact skill → Risk assessment
4. Agent invokes system-context skill → Deployment architecture
5. Agent invokes playbook-generator skill → Creates playbook
6. User executes playbook
7. Agent invokes remediation-verifier skill → Confirms success

**Validation-First Pattern**:

Always validate CVE before expensive operations: ✓ CVE valid? → Proceed ✗ CVE invalid? → Stop, return error

This saves time and avoids:

• Unnecessary impact analysis
• Wasted system context gathering
• Failed playbook generation