Investigating your Jira Service Management for attempts to exploit security vulnerability CVE-2019-15003

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問


プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く


For more information about CVE-2019-15003 and the affected Jira Server versions, see the full security advisory.

  • This document provides the guidance you may use in your security assessment, customers search for evidence an attacker has attempted to exploit the vulnerability. But the logs don't provide the information needed to determine if exploitation succeeded.

  • Access logs may have been tampered with, rotated or deleted. Where applicable, compare your Jira instance logs with other sources such as those from the reverse proxy and load balancer.


When exploited, the vulnerability allows an attacker to view protected information on a Jira Service Management instance, such as issue details, comments, and a list of projects and issues. To check if your instance has been exploited, you need to check the access logs to verify whether the URLs with the following patterns: /servicedesk/customershim/ has been used in this exploit.

Access logs can be found in the Jira installation directory in the "logs" subdirectory.

  1. <Jira-installation-directory>/logs. に移動します。
  2. Run the following command to see if your instance has been affected. A non-affected instance should return 0 as a result. 
grep -c -E "/servicedesk/customer[^/]+/.*\.jspa" access*

3. Extract lines from the access log with the information on the context of the exploitable requests using the following command:

grep -E "/servicedesk/customer[^/]+/.*\.jspa" access*



最終更新日 2020 年 11 月 23 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.