Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions submissions/red-hat-cve-explainer/evals/evals.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"skill_name": "red-hat-cve-explainer",
"evals": [
{
"id": "red-hat-cve-explainer-eval",
"name": "Red Hat CVE Explainer",
"prompt": "You are a Red Hat IT support specialist. A sysadmin asks:\n\n\"We got flagged on CVE-2024-6387 (the OpenSSH regreSSHion vulnerability). Can you explain what it is, how bad it is for our Red Hat systems, and what we should do? Also, walk me through the specific criteria Red Hat uses for each severity tier — I need to understand exactly what makes something Critical vs Important vs Moderate vs Low. And how do you enrich CVE data with advisory remediation details?\"\n\nProvide a thorough response.",
"expected_output": "A thorough CVE explanation with Red Hat-specific severity tier criteria (not just labels), advisory enrichment via advisories-mcp tools (map-cve-advisories, get-advisory-solution), and the three Red Hat advisory types (RHSA/RHBA/RHEA) with their distinct purposes.",
"assertions": [
"The output defines Red Hat's Critical severity with specific technical criteria: remote unauthenticated exploitation, no user interaction required, and wormable or trivially automatable — not just 'very severe' or a CVSS range.",
"The output defines Red Hat's Important severity with specific technical criteria that distinguish it from Critical: local privilege escalation to root, authenticated RCE, or significant denial of service.",
"The output defines Red Hat's Moderate severity as vulnerabilities that would otherwise be Critical or Important but require unusual configuration, user interaction, or other preconditions to exploit.",
"The output describes enriching CVE data with advisory remediation details by mapping CVEs to advisories (RHSA/RHBA/RHEA) and retrieving per-advisory solution or remediation information.",
"The output explains that when no Red Hat advisory exists for a CVE, the response should note the fix is under investigation and include any published mitigations, rather than speculating about remediation."
]
}
]
}
5 changes: 5 additions & 0 deletions submissions/red-hat-cve-explainer/metadata.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
name: red-hat-cve-explainer
description: "Explain a CVE using Red Hat's severity rating system. Looks up the CVE,"
persona: rh-sre
version: "1.0.0"
eval_engine: ase
83 changes: 83 additions & 0 deletions submissions/red-hat-cve-explainer/skills/SKILL.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
---
name: red-hat-cve-explainer
description: Explain a CVE using Red Hat's severity rating system. Looks up the CVE,
explains the rating, and suggests a course of action.
license: Apache-2.0
---

# Red Hat CVE Explainer

Extract `CVE-YYYY-NNNNN` from user message. If none, ask. Handle multiple CVEs separately in one response.

## Prerequisites

None — falls back to WebFetch if the Red Hat Security MCP is unavailable.

## When to Use This Skill

When the user asks about a specific CVE: what it is, its severity, or whether to patch.

## Workflow

1. Extract CVE ID from the user message.
2. Look up CVE metadata via `cve-mcp` or WebFetch.
3. Look up linked advisories via `advisories-mcp` or extract from CVE response.
4. Return severity, affected products, and action recommendation.

## Dependencies

- `red-hat-security` MCP (optional): provides `cve-mcp` and `advisories-mcp` tools.

## Lookup Sequence

CVE metadata (stop when you have data):
1. `cve-mcp` -> `cve-detail`
2. `WebFetch` -> `https://access.redhat.com/security/cve/<CVE-ID>`
3. No Red Hat data: say so, direct to `https://nvd.nist.gov/vuln/detail/<CVE-ID>`

Advisory/remediation (after step 1-2 succeeds):
1. `advisories-mcp` -> `map-cve-advisories` -- linked RHSAs/RHBAs/RHEAs
2. `advisories-mcp` -> `get-advisory-solution` for each advisory
3. Optionally `advisories-mcp` -> `summarize-advisory` for richer detail

If advisories MCP unavailable: extract advisory IDs from CVE response, report without remediation detail.

## Advisory Types

| Prefix | Type | What it fixes |
|--------|------|---------------|
| RHSA | Red Hat Security Advisory | One or more CVEs -- highest urgency |
| RHBA | Red Hat Bug Advisory | Bug fixes only -- no CVE, no security urgency |
| RHEA | Red Hat Enhancement Advisory | New features/capabilities -- no security fix |

In Output, label each advisory by type: e.g., "RHSA-2024:1234 (Security Advisory)".

## Red Hat Severity

- Critical -- Remote unauthenticated, no user interaction; wormable or trivially automated
- Important -- Local privesc to root, authenticated RCE, or significant DoS
- Moderate -- Would be Critical/Important but requires unusual config, user interaction, or other preconditions
- Low -- Minimal real-world impact; exploitation requires unlikely circumstances

Scored with CVSS v3 (0.0-10.0). Scores may differ from NVD due to product-specific flags, hardening, and deployment context.

## Output

### [CVE ID]

**Severity:** [Red Hat rating] (CVSS [score])

**What it is:** 1-2 sentences plain language.

**Why [rating]:** Connect flaw to rating criteria -- ease of exploitation, auth/interaction requirements.

**Affected products:** Affected Red Hat products with fix status. Per advisory: ID + remediation from `get-advisory-solution`. If no advisory: note fix is under investigation, include published mitigations.

**Action:**
- Critical -> "Patch immediately. Exploitable by remote unauthenticated attackers."
- Important -> "Patch at your next maintenance window."
- Moderate -> "Include in your regular update cycle."
- Low -> "Apply when convenient. Monitor for severity changes."
- No patch -> include published mitigations from Red Hat's CVE page.

Write for a sysadmin deciding urgency. If Red Hat CVSS differs significantly from NVD, briefly note scores are product-specific. Never speculate about exploit availability beyond Red Hat's data.