VDB

CVE-2019-1003000

CVE-2019-1003000 PUBLISHED

## Snort IDS/IPS Mitigation Rules (2 rules) The following Emerging Threats Snort rules detect exploitation of this vulnerability: ### Rule 1: SID 2027350 (rev 2) **ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M2** ```snort alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M2"; flow:established,to_server; content:"GET"; http_method; depth:3; content:"/securityRealm/user/"; http_uri; depth:20; fast_pattern; content:"descriptorByName/"; http_uri; distance:0; content:"checkScript"; http_uri; distance:0; content:"|40|ASTTest"; http_uri; distance:0; content:"Runtime|2e|getRuntime|28 29 2e|exec|28 22|"; http_uri; distance:0; content:"|22 29 7d 29 0a|"; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027350; rev:2; metadata:attack_target Server, created_at 2019_05_10, cve CVE_2018_100086, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2019_05_10;) ``` --- ### Rule 2: SID 2027349 (rev 3) **ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M1** ```snort alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jenkins Chained Exploits CVE-2018-1000861 and CVE-2019-1003000 M1"; flow:established,to_server; content:"GET"; http_method; depth:3; content:"/securityRealm/user/"; http_uri; depth:20; fast_pattern; content:"descriptorByName/"; http_uri; distance:0; content:"checkScriptCompile"; http_uri; distance:0; content:"value=|40|GrabConfig"; http_uri; distance:0; content:"|40|GrabResolver|28|"; http_uri; distance:0; content:"|27|http"; http_uri; distance:0; within:60; content:"|27 29 0a 40|Grab|28|"; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; reference:cve,2018-1000861; reference:cve,2019-1003000; reference:url,blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html; reference:url,blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html; classtype:web-application-attack; sid:2027349; rev:3; metadata:attack_target Server, created_at 2019_05_10, cve CVE_2018_100086, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2019_08_19;) ``` ### Implementation Steps 1. Deploy these rules to your Snort/Suricata IDS/IPS sensors 2. Ensure all rules are enabled in your sensor configuration 3. Monitor for alerts matching the above SIDs 4. For IPS mode, consider changing action from `alert` to `drop`

EPSS 94.44% · 100.0th percentile

Risk Scores

EPSS Score
94.44%
100.0th percentile

Exploit Intelligence

…and 86 more exploits

Timeline

  • CVE Published
  • Feb 25, 2019 PoC Published
  • Mar 19, 2019 PoC Published
  • May 10, 2019 PoC Published
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Sep 14, 2021 EPSS Score
  • Sep 16, 2021 EPSS Score
  • Dec 27, 2021 EPSS Score
  • Feb 4, 2022 EPSS Score
  • May 2, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›