CVE-2015-2488 infection?

Mads Jensen October 1, 2015

Every time I open our hosted JIRA page (clioonline.atlassian.net), my virusscanner tells me that a file infected with CVE-2015-2488 is quarantined. I've scanned my system rigorously, with multiple tools, to no avail - the warning keeps popping up when the JIRA page is opened. No other page, I've opened, is giving me that warning.

Are you possibly infected with this exploit?

7 answers

1 vote
Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 5, 2015

There is something off with his login page.. In the html i see base64 encoded payloads (an "image"), search for:

indra-icon-gapps{background-image:url(data:image/png;base64

Dont have time do debase it, but it's not common practice to create a "background" picture (8.9kb) which is encoded like this.You normally just link to the image in the css.

Some developer at Atlassian might want to correct me on this?

Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 5, 2015

Have started base64 decoding the objects, one part of it is for sure a PNG headered payload. Will check the rest tonight.

Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 6, 2015

Had a look at most of the 58 base64 payloads yesterday. Most of them are PNG's but some of the encoded elements wasnt, so i am still looking at those, but having what your antivirus flagged as malicious would jump me past having to look in all remaining files decoded.

Mads Jensen October 6, 2015

I've mailed you an infected file, @Jonas Andersson. The file is double packed and password protected so not to set off mailscanners (mine and/or yours). Instructions is in the mail.

Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 7, 2015

Thank you, didn't have time yesterday but is curious to have a look tonight. Thank you.

1 vote
no_longer_in_sudoers_file
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 2, 2015

@Mads Jensen,

I would encourage you to contact support.atlassian.com and provide the following details:

(1) What browser are you using?

(2) What operating system?

(3) What antivirus?

At present, that CVE (CVE-2015-2488) is marked as reserved pending release of details of any possible issue with an unknown software.  I know of no vulnerability in our current systems, but will keep my ears out.

1 vote
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 1, 2015

That's almost certainly something on your machine, not the JIRA website.  All JIRA hands to your browser is images and html.  If there is something bad in an image, then you uploaded it!

Also, the number refers to security issues in Internet Explorer, not a general attack on any technology used in JIRA.

0 votes
Aaron Moffatt November 8, 2015

Hi Everyone, 

Did this issue ever get figured out? We have a user who receives this message whenever he logs onto another companies instance of JIRA or Confluence, but not on our own. I am investigating the issue for him, so any information would be great.

 

Kind Regards, 

0 votes
Steve Moffat October 5, 2015

This morning our server-side sys admin contacted me to report that his virus scanner had posted several messages like this:

application-data/jira/tmp/webresources/697.cachedfile!(0): Html.Exploit.CVE_2015_2488 FOUND

This doesn't sound like the same issue you are having, mainly because you receive the warning before logging in, but it may be something to check at the server anyway.  I am not sure what JIRA uses those cache file for.  In our case I've asked the sys admin to zip the files and delete them from the server.

0 votes
Mads Jensen October 4, 2015

Normally I would agree, but this happens only when I open an Atlassian hosted page, even these support pages - not on any other page, I've tried. And it happens as soon as the login page, so before I even get to any of our content.

I've checked multiple times - as soon as I open an Atlassian hosted page, a randomly named file is being quarantined. And this is from Firefox and Chrome. I hardly use IE at all.

 

 

 

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 5, 2015

In that case, your virus checker is broken. No-one else is reporting this, and the virus checker is reporting a reference that is a) not released and b) reserved for an IE security issue - so it's a wrong number whatever the cause. There is something on your machine that's given it a false lead or it's detecting incorrectly.

0 votes
Mads Jensen October 2, 2015

hi @Sam Caldwell - I think you have the wrong Mads Jensen. Possibly one of the other folks. 

Suggest an answer

Log in or Sign up to answer