Investigating your Jira Service Management for attempts to exploit security vulnerability CVE-2019-15004

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible


For more information about CVE-2019-15004 and the affected Jira Server versions, see the full security advisory.

  • This document provides guidance you may use in your security assessment, customers search for evidence an attacker has attempted to exploit the vulnerability. But the logs don't provide the information needed to determine if exploitation succeeded.

  • Access logs may have been tampered with, rotated or deleted. Where applicable, compare your Jira instance logs with other sources such as those from the reverse proxy and load balancer.

When exploited, the vulnerability allows an attacker to view protected information on a Jira Service Management instance, such as issue details, comments, and list of projects and issues. To check if your instance has been exploited, you need to check the access logs to verify whether the URLs with the following patterns: /servicedesk/customer/../../ and /servicedesk/customer/..;/..;/ have been used in this exploit.

Access logs can be found in Jira installation directory in the "logs" subdirectory.

  1. Go to <Jira-installation-directory>/logs.
  2. Run the following command to see if your instance has been affected. A non-affected instance should return 0 as the result. 
grep -c -E "/(s|static-assets|downloads|images|secure/usersavatar)/../" access*

3. Extract lines from the access log with the information on the context of the exploitable requests using the following command:

grep -E "/(s|static-assets|downloads|images|secure/usersavatar)/../" access*



Last modified on Nov 23, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.