CVE-2019-1003000 — Vulnetix

CVE-2019-1003000 PUBLISHED

## Snort IDS/IPS Mitigation Rules (2 rules) The following Emerging Threats Snort rules detect exploitation of this vulnerability: ### Rule 1: SID 2027350 (rev 2) **ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M2** ```snort alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M2"; flow:established,to_server; content:"GET"; http_method; depth:3; content:"/securityRealm/user/"; http_uri; depth:20; fast_pattern; content:"descriptorByName/"; http_uri; distance:0; content:"checkScript"; http_uri; distance:0; content:"|40|ASTTest"; http_uri; distance:0; content:"Runtime|2e|getRuntime|28 29 2e|exec|28 22|"; http_uri; distance:0; content:"|22 29 7d 29 0a|"; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027350; rev:2; metadata:attack_target Server, created_at 2019_05_10, cve CVE_2018_100086, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2019_05_10;) ``` --- ### Rule 2: SID 2027349 (rev 3) **ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M1** ```snort alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M1"; flow:established,to_server; content:"GET"; http_method; depth:3; content:"/securityRealm/user/"; http_uri; depth:20; fast_pattern; content:"descriptorByName/"; http_uri; distance:0; content:"checkScriptCompile"; http_uri; distance:0; content:"value=|40|GrabConfig"; http_uri; distance:0; content:"|40|GrabResolver|28|"; http_uri; distance:0; content:"|27|http"; http_uri; distance:0; within:60; content:"|27 29 0a 40|Grab|28|"; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027349; rev:3; metadata:attack_target Server, created_at 2019_05_10, cve CVE_2018_100086, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2019_08_19;) ``` ### Implementation Steps 1. Deploy these rules to your Snort/Suricata IDS/IPS sensors 2. Ensure all rules are enabled in your sensor configuration 3. Monitor for alerts matching the above SIDs 4. For IPS mode, consider changing action from `alert` to `drop`

EPSS 94.44% · 100.0th percentile

Risk Scores

EPSS Score

94.44%

100.0th percentile

Timeline

Jan 22, 2019 CVE Published
Feb 25, 2019 PoC Published
Mar 19, 2019 PoC Published
May 10, 2019 PoC Published
May 17, 2019 CVE Updated
Apr 14, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Sep 14, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Dec 25, 2021 EPSS Score
Feb 25, 2022 EPSS Score
Apr 28, 2022 EPSS Score

References

Open in Interactive Console →