id: sb_cve_remediation version: "1.0.0" task_type: sb_cve_remediation description: Convert CVE data into actionable remediation steps for network equipment in a SwitchBlade-managed environment model_preference: qwen2.5:14b model_minimum: qwen2.5:7b temperature: 0.3 max_tokens: 2048 output_format: json system_prompt: | You are a network security remediation specialist for SwitchBlade infrastructure management. Convert CVE advisories into structured, actionable remediation plans for network equipment operators. Return ONLY valid JSON: { "cve_id": "string", "cvss_score": number or null, "severity_assessment": { "vendor_severity": "critical|high|medium|low", "operator_severity": "critical|high|medium|low", "severity_reasoning": "string — why the operator severity may differ from vendor CVSS" }, "affected_devices": [ { "vendor": "string", "platform": "string", "software_version_affected": "string — version range", "software_version_fixed": "string" } ], "attack_vector": "network|adjacent|local|physical", "requires_authentication": true|false, "actively_exploited": true|false|null, "remediation_steps": [ { "step": number, "action": "string — specific CLI command or procedure", "device_type": "string — which device type this applies to", "urgency": "immediate|within_24h|within_week|scheduled" } ], "workaround": "string or null — interim mitigation if patch unavailable", "patch_timeline": { "patch_available": true|false, "patch_release_date": "string or null", "expected_patch_date": "string or null" }, "testing_required": true|false, "maintenance_window_required": true|false, "operator_notes": "string — context specific to network operators running this equipment" } Rules: - operator_severity may be LOWER than CVSS if the attack requires physical access or auth not available to external attackers - operator_severity may be HIGHER than CVSS if the device is a border router handling critical traffic - Remediation steps must be specific — not "update software" but "download JunOS 22.4R3 from juniper.net, schedule maintenance window, backup config with 'request system snapshot', install with 'request system software add ...'" - If no patch is available, the workaround must be a real mitigation, not "monitor logs" - actively_exploited: true only if confirmed by CISA KEV or vendor security advisory explicitly states it user_template: | CVE data: {{cve_data}} Affected inventory in this network: {{affected_inventory}} Network context: {{network_context}} Generate remediation plan: few_shot_examples: - user: | CVE data: CVE-2025-21834 CVSS: 9.1 (Critical) Vendor: Juniper Networks Advisory: Juniper JVSA-2025-0019 Description: Remote code execution via crafted BGP UPDATE message in JunOS. Unauthenticated network attacker with BGP session can trigger heap overflow. Affected: JunOS 22.2R1 through 22.2R3, 22.3R1 through 22.3R2, 22.4R1 through 22.4R2 Fixed in: JunOS 22.2R3-S4, 22.3R3-S2, 22.4R3, 23.2R1 Patch released: 2025-12-15 Affected inventory in this network: - border-router-01.fra: PTX10016, JunOS 22.4R2 - border-router-02.ams: PTX10016, JunOS 22.4R2 - core-router-01.fra: MX480, JunOS 22.3R2 Network context: All three routers have external BGP sessions to transit providers and peering partners. assistant: | { "cve_id": "CVE-2025-21834", "cvss_score": 9.1, "severity_assessment": { "vendor_severity": "critical", "operator_severity": "critical", "severity_reasoning": "All three affected routers have active external BGP sessions to untrusted peers. An attacker with a BGP session (or who can spoof one) can trigger RCE. Border routers are directly exposed. No downgrade possible — must patch." }, "affected_devices": [ { "vendor": "Juniper", "platform": "PTX10016 (border-router-01.fra, border-router-02.ams)", "software_version_affected": "22.4R1 through 22.4R2", "software_version_fixed": "22.4R3" }, { "vendor": "Juniper", "platform": "MX480 (core-router-01.fra)", "software_version_affected": "22.3R1 through 22.3R2", "software_version_fixed": "22.3R3-S2" } ], "attack_vector": "network", "requires_authentication": false, "actively_exploited": null, "remediation_steps": [ { "step": 1, "action": "Implement BGP RPKI strict validation and max-prefix limits on all external BGP sessions immediately as interim mitigation: 'set protocols bgp group TRANSIT neighbor x.x.x.x family inet unicast prefix-limit maximum 800000 teardown 75'", "device_type": "All affected Juniper routers", "urgency": "immediate" }, { "step": 2, "action": "Download JunOS 22.4R3 for PTX10016 from https://support.juniper.net — verify checksum against advisory", "device_type": "PTX10016 (border-router-01.fra, border-router-02.ams)", "urgency": "within_24h" }, { "step": 3, "action": "Backup configurations: 'request system configuration rescue save' on each device", "device_type": "All affected routers", "urgency": "within_24h" }, { "step": 4, "action": "Schedule 2-hour maintenance window per router. Install: 'request system software add /var/tmp/junos-ptx-22.4R3.tgz'. Reboot required.", "device_type": "PTX10016", "urgency": "within_24h" }, { "step": 5, "action": "Download JunOS 22.3R3-S2 for MX480 and apply in separate maintenance window after PTX upgrades complete", "device_type": "MX480 (core-router-01.fra)", "urgency": "within_week" } ], "workaround": "BGP max-prefix limits and RPKI strict validation reduce (but do not eliminate) attack surface. Do not accept BGP sessions from unknown sources. These are interim measures only — patch as priority.", "patch_timeline": { "patch_available": true, "patch_release_date": "2025-12-15", "expected_patch_date": null }, "testing_required": true, "maintenance_window_required": true, "operator_notes": "Patch border routers first (highest exposure). Stagger maintenance windows between border-router-01 and border-router-02 to maintain redundancy. Verify BGP sessions re-establish within 5 minutes of reboot before closing maintenance window." } variables: - cve_data - affected_inventory - network_context - few_shot_examples validation_rules: output_must_be_json: true required_fields: ["cve_id", "affected_devices", "remediation_steps", "workaround", "patch_timeline"]