Investigating your Jira Service Management for attempts to exploit security vulnerability CVE-2019-14994
Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.
For more information about CVE-2019-14994 and the affected Jira Server versions, see the full security advisory.
This document provides guidance you may use in your security assessment, customers search for evidence an attacker has attempted to exploit the vulnerability. But the logs don't provide the information needed to determine if exploitation succeeded.
Access logs may have been tampered with, rotated or deleted. Where applicable, compare your Jira instance logs with other sources such as those from the reverse proxy and load balancer.
When exploited, the vulnerability allows an attacker to view protected information on a Jira Service Management instance, such as issue details, comments, and list of projects and issues. To check if your instance has been exploited, you need to check the access logs to verify whether the URLs with the following patterns: /servicedesk/customer/../../ and /servicedesk/customer/..;/..;/ have been used in this exploit.
Access logs can be found in Jira installation directory in the "logs" subdirectory.
- Go to
- Run the following command to see if your instance has been affected. A non-affected instance should return 0 as the result.
grep -c -e "/servicedesk/customer/../../" -e "/servicedesk/customer/..;/..;/" access*
3. Extract lines from the access log with the information on the context of the exploitable requests using the following command:
grep -e "/servicedesk/customer/../../" -e "/servicedesk/customer/..;/..;/" access*
grep is not available on your Windows instance, use the following command.
find /C "/servicedesk/customer/../../" access* & find /C "/servicedesk/customer/..;/..;/" access*