Logs are suddenly flooded with errors mentioning shell commands such as 'ping', 'expr' or others
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Application logs are suddenly flooded with error messages, usually mentioning servlet errors or message body writers. The messages also usually mention shell commands such as ping, expr, etc.
Environment
Any Jira version.
Diagnosis
Review the application logs for error messages similar to the ones below. Since the actual error messages can be different, a good indication is the presence of shell commands such as ping, expr or others in the logs.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
2021-06-16 22:43:44,393+0000 http-nio-8080-exec-90 ERROR anonymous 1363x132004x1 f1oli5 10.152.4.24,10.152.1.171 /rest/dashboards/1.0/10000/gadget/10000/ [c.s.j.spi.container.ContainerResponse] A message body writer for Java class com.atlassian.gadgets.dashboard.internal.rest.representations.DashboardItemGadgetRepresentation, and Java type class com.atlassian.gadgets.dashboard.internal.rest.representations.DashboardItemGadgetRepresentation, and MIME media type application/xml was not found.
The registered message body writers compatible with the MIME media type are:
application/xml ->
com.sun.jersey.core.impl.provider.entity.XMLJAXBElementProvider$App
com.sun.jersey.core.impl.provider.entity.DocumentProvider
com.sun.jersey.core.impl.provider.entity.SourceProvider$SourceWriter
com.sun.jersey.core.impl.provider.entity.XMLRootElementProvider$App
com.sun.jersey.core.impl.provider.entity.XMLListElementProvider$App
*/* ->
com.sun.jersey.core.impl.provider.entity.FormProvider
com.sun.jersey.core.impl.provider.entity.StringProvider
com.sun.jersey.core.impl.provider.entity.ByteArrayProvider
com.sun.jersey.core.impl.provider.entity.FileProvider
com.sun.jersey.core.impl.provider.entity.InputStreamProvider
com.sun.jersey.core.impl.provider.entity.DataSourceProvider
com.sun.jersey.core.impl.provider.entity.XMLJAXBElementProvider$General
com.sun.jersey.core.impl.provider.entity.ReaderProvider
com.sun.jersey.core.impl.provider.entity.DocumentProvider
com.sun.jersey.core.impl.provider.entity.StreamingOutputProvider
com.sun.jersey.core.impl.provider.entity.SourceProvider$SourceWriter
com.sun.jersey.server.impl.template.ViewableMessageBodyWriter
com.sun.jersey.json.impl.provider.entity.JSONJAXBElementProvider$General
com.sun.jersey.json.impl.provider.entity.JSONArrayProvider$General
com.sun.jersey.json.impl.provider.entity.JSONObjectProvider$General
com.sun.jersey.json.impl.provider.entity.JSONWithPaddingProvider
com.sun.jersey.core.impl.provider.entity.XMLRootElementProvider$General
com.sun.jersey.core.impl.provider.entity.XMLListElementProvider$General
com.sun.jersey.json.impl.provider.entity.JSONRootElementProvider$General
com.sun.jersey.json.impl.provider.entity.JSONListElementProvider$General
com.sun.jersey.json.impl.provider.entity.JacksonProviderProxy1
2
3
4
5
6
7
2021-06-16 21:08:14,980+0000 http-nio-8080-exec-70 ERROR [o.a.c.c.C.[.[localhost].[/].[noopservlet]] Servlet.service() for servlet [noopservlet] in context with path [] threw exception
java.lang.RuntimeException: javax.servlet.ServletException: java.lang.IllegalArgumentException: No command 'expr 268409241 - 37614' in action
at com.atlassian.web.servlet.plugin.DynamicAuthorizationServletForwarder.forward(DynamicAuthorizationServletForwarder.java:55)
at com.atlassian.web.servlet.plugin.SanitizingServletForwarder.forward(SanitizingServletForwarder.java:32)
at com.atlassian.web.servlet.plugin.RememberingServletForwarder.forward(RememberingServletForwarder.java:51)
at com.atlassian.web.servlet.plugin.ResolvingServletForwarder.forward(ResolvingServletForwarder.java:36)
(...)1
2
3
4
5
6
7
8
[] threw exception
java.lang.NumberFormatException: For input string: "ping -n 25 127.0.0.1 &"
at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.base/java.lang.Long.parseLong(Long.java:692)
at java.base/java.lang.Long.valueOf(Long.java:1144)
at com.atlassian.jira.dashboard.permission.JiraPermissionService.isReadableBy(JiraPermissionService.java:44)
at com.atlassian.jira.dashboard.permission.JiraPermissionService.isReadableBy(JiraPermissionService.java:48)
(...)Other messages that do not mention shell commands can also appear, such as the example below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
2021-06-16 22:41:14,670+0000 http-nio-8080-exec-78 ERROR anonymous 1361x130376x1 f1oli5 10.152.4.24,10.152.2.176 /rest/dashboards/1.0/directory/10000" [c.s.j.spi.container.ContainerResponse] Exception mapper com.atlassian.plugins.rest.common.error.jersey.NotFoundExceptionMapper@4f1b0031 for Throwable com.sun.jersey.api.NotFoundException: null for uri: https://<JIRA_BASE_URL>/rest/dashboards/1.0/directory/10000" threw a RuntimeException when attempting to obtain the response
2021-06-16 22:41:14,675+0000 http-nio-8080-exec-78 ERROR anonymous 1361x130376x1 f1oli5 10.152.4.24,10.152.2.176 /rest/dashboards/1.0/directory/10000" [c.s.j.spi.container.ContainerResponse] Mapped exception to response: 500 (Internal Server Error)
javax.ws.rs.WebApplicationException: java.text.ParseException: Comments are not allowed
at com.sun.jersey.server.impl.model.HttpHelper.clientError(HttpHelper.java:273)
at com.sun.jersey.server.impl.model.HttpHelper.getAccept(HttpHelper.java:183)
at com.sun.jersey.server.impl.VariantSelector.selectVariant(VariantSelector.java:289)
at com.sun.jersey.spi.container.ContainerRequest.selectVariant(ContainerRequest.java:696)
at com.sun.jersey.spi.container.AdaptingContainerRequest.selectVariant(AdaptingContainerRequest.java:286)
at jdk.internal.reflect.GeneratedMethodAccessor2592.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
... 1 filtered
at com.sun.proxy.$Proxy4222.selectVariant(Unknown Source)
... 3 filtered
at com.sun.jersey.spi.container.ContainerResponse.mapException(ContainerResponse.java:480)
at com.sun.jersey.spi.container.ContainerResponse.mapWebApplicationException(ContainerResponse.java:444)
... 5 filtered
at com.atlassian.plugins.rest.module.RestDelegatingServletFilter$JerseyOsgiServletContainer.doFilter(RestDelegatingServletFilter.java:160)
... 1 filtered
at com.atlassian.plugins.rest.module.RestDelegatingServletFilter.doFilter(RestDelegatingServletFilter.java:70)
... 36 filtered
at com.atlassian.jira.plugin.mobile.web.filter.MobileAppRequestFilter.doFilter(MobileAppRequestFilter.java:59)
... 4 filtered
at com.atlassian.jira.plugin.mobile.login.MobileLoginSuccessFilter.doFilter(MobileLoginSuccessFilter.java:54)
... 3 filtered
at com.atlassian.diagnostics.internal.platform.monitor.http.HttpRequestMonitoringFilter.doFilter(HttpRequestMonitoringFilter.java:55)
... 8 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 43 filtered
at com.atlassian.ratelimiting.internal.filter.RateLimitFilter.doFilter(RateLimitFilter.java:73)
... 21 filtered
at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:66)
... 1 filtered
at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:64)
... 16 filtered
at com.atlassian.plugins.rest.module.servlet.RestSeraphFilter.doFilter(RestSeraphFilter.java:38)
... 19 filtered
at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
... 10 filtered
at com.atlassian.ratelimiting.internal.filter.RateLimitPreAuthFilter.doFilter(RateLimitPreAuthFilter.java:71)
... 3 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 4 filtered
at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
... 26 filtered
at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
... 25 filtered
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.text.ParseException: Comments are not allowed
at com.sun.jersey.core.header.reader.HttpHeaderReaderImpl.process(HttpHeaderReaderImpl.java:196)
at com.sun.jersey.core.header.reader.HttpHeaderReaderImpl.next(HttpHeaderReaderImpl.java:129)
at com.sun.jersey.core.header.reader.HttpHeaderListAdapter.next(HttpHeaderListAdapter.java:111)
at com.sun.jersey.core.header.reader.HttpHeaderListAdapter.next(HttpHeaderListAdapter.java:98)
at com.sun.jersey.core.header.reader.HttpHeaderReader.nextToken(HttpHeaderReader.java:100)
at com.sun.jersey.core.header.reader.HttpHeaderReader$3.create(HttpHeaderReader.java:334)
at com.sun.jersey.core.header.reader.HttpHeaderReader$3.create(HttpHeaderReader.java:332)
at com.sun.jersey.core.header.reader.HttpHeaderReader.readList(HttpHeaderReader.java:481)
at com.sun.jersey.core.header.reader.HttpHeaderReader.readList(HttpHeaderReader.java:473)
at com.sun.jersey.core.header.reader.HttpHeaderReader.readAcceptableList(HttpHeaderReader.java:461)
at com.sun.jersey.core.header.reader.HttpHeaderReader.readAcceptMediaType(HttpHeaderReader.java:350)
... 1 filtered
... 257 moreCause
These error messages usually occur when external actors try to exploit security vulnerabilities. This can be legitimate, like when a vulnerability scanner is run against Jira, or it can be an indication that a malicious external actor is attempting to find and exploit a vulnerability.
Solution
Review with the appropriate teams within your company if a vulnerability scanner was ran against Jira. If so, these messages can be ignored.
Otherwise, you might want to investigate further with your internal information security or networking teams to try and restrict external access to Jira.
Updated on March 13, 2025
Was this helpful?
Still need help?
The Atlassian Community is here for you.