Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

CVE-2015-2488 infection?

Mads Jensen2
Mads Jensen October 1, 2015

Every time I open our hosted JIRA page (clioonline.atlassian.net), my virusscanner tells me that a file infected with CVE-2015-2488 is quarantined. I've scanned my system rigorously, with multiple tools, to no avail - the warning keeps popping up when the JIRA page is opened. No other page, I've opened, is giving me that warning.

Are you possibly infected with this exploit?

Answer
Watch
Like Be the first to like this
721 views

7 answers

1 vote
Jonas Andersson
Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 5, 2015

There is something off with his login page.. In the html i see base64 encoded payloads (an "image"), search for:

indra-icon-gapps{background-image:url(data:image/png;base64

Dont have time do debase it, but it's not common practice to create a "background" picture (8.9kb) which is encoded like this.You normally just link to the image in the css.

Some developer at Atlassian might want to correct me on this?

View More Comments
Jonas Andersson
Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 5, 2015

Have started base64 decoding the objects, one part of it is for sure a PNG headered payload. Will check the rest tonight.

Like
Jonas Andersson
Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 6, 2015

Had a look at most of the 58 base64 payloads yesterday. Most of them are PNG's but some of the encoded elements wasnt, so i am still looking at those, but having what your antivirus flagged as malicious would jump me past having to look in all remaining files decoded.

Like
Mads Jensen2
Mads Jensen October 6, 2015

I've mailed you an infected file, @Jonas Andersson. The file is double packed and password protected so not to set off mailscanners (mine and/or yours). Instructions is in the mail.

Like
Jonas Andersson
Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 7, 2015

Thank you, didn't have time yesterday but is curious to have a look tonight. Thank you.

Like
Reply
1 vote
no_longer_in_sudoers_file
no_longer_in_sudoers_file
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 2, 2015

@Mads Jensen,

I would encourage you to contact support.atlassian.com and provide the following details:

(1) What browser are you using?

(2) What operating system?

(3) What antivirus?

At present, that CVE (CVE-2015-2488) is marked as reserved pending release of details of any possible issue with an unknown software.  I know of no vulnerability in our current systems, but will keep my ears out.

Reply
1 vote
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 1, 2015

That's almost certainly something on your machine, not the JIRA website.  All JIRA hands to your browser is images and html.  If there is something bad in an image, then you uploaded it!

Also, the number refers to security issues in Internet Explorer, not a general attack on any technology used in JIRA.

Reply
0 votes
Aaron Moffatt
Aaron Moffatt
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 8, 2015

Hi Everyone, 

Did this issue ever get figured out? We have a user who receives this message whenever he logs onto another companies instance of JIRA or Confluence, but not on our own. I am investigating the issue for him, so any information would be great.

 

Kind Regards, 

Reply
0 votes
Steve Moffat
Steve Moffat October 5, 2015

This morning our server-side sys admin contacted me to report that his virus scanner had posted several messages like this:

application-data/jira/tmp/webresources/697.cachedfile!(0): Html.Exploit.CVE_2015_2488 FOUND

This doesn't sound like the same issue you are having, mainly because you receive the warning before logging in, but it may be something to check at the server anyway.  I am not sure what JIRA uses those cache file for.  In our case I've asked the sys admin to zip the files and delete them from the server.

Reply
0 votes
Mads Jensen2
Mads Jensen October 4, 2015

Normally I would agree, but this happens only when I open an Atlassian hosted page, even these support pages - not on any other page, I've tried. And it happens as soon as the login page, so before I even get to any of our content.

I've checked multiple times - as soon as I open an Atlassian hosted page, a randomly named file is being quarantined. And this is from Firefox and Chrome. I hardly use IE at all.

 

 

 

View More Comments
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 5, 2015

In that case, your virus checker is broken. No-one else is reporting this, and the virus checker is reporting a reference that is a) not released and b) reserved for an IE security issue - so it's a wrong number whatever the cause. There is something on your machine that's given it a false lead or it's detecting incorrectly.

Like
Reply
0 votes
Mads Jensen6
Mads Jensen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 2, 2015

hi @Sam Caldwell - I think you have the wrong Mads Jensen. Possibly one of the other folks. 

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.