Jira default admin account is experiencing repeated lockouts after multiple failed attempts at /mgmt/tm/util/bash

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

The Jira default admin account is experiencing repeated lockouts after multiple failed attempts at /mgmt/tm/util/bash.

Environment

Jira Data Center that is externally accessible likely using F5 load balancer.

Diagnosis

From the atlassian-jira-security.log, the end-point that is seen is "/mgmt/tm/util/bash" and is not an end-point available in Jira.

1 2 3 2023-06-27 02:59:25,753+0000 http-nio-8080-exec-13456 url: /mgmt/tm/util/bash anonymous 179x11786345x1 - 141.131.3.39,10.128.28.14 /mgmt/tm/util/bash HttpSession created [4xiiak] 2023-06-27 02:59:25,776+0000 http-nio-8080-exec-13456 url: /mgmt/tm/util/bash anonymous 179x11786345x1 - 141.131.3.39,10.128.28.14 /mgmt/tm/util/bash The user 'admin' is required to answer a CAPTCHA elevated security check. Failure count equals 11 2023-06-27 02:59:25,799+0000 http-nio-8080-exec-13456 url: /mgmt/tm/util/bash anonymous 179x11786345x1 - 141.131.3.39,10.128.28.14 /mgmt/tm/util/bash The user 'admin' is required to answer a CAPTCHA elevated security check. Failure count equals 12

Cause

This could potentially be related to malicious activity and could be related to an external vulnerability(not limited to) like CVE-2022-1388. Please refer to the external link which explains a simulation test on this.

Solution

One way to address this issue is by conducting a thorough investigation into the mentioned vulnerability, CVE-2022-1388 (F5 Big-IP), and understanding its impact on the system or network in question. You are requested to reach out to your security team within your organization for such an investigation and mitigation plan.

Renaming or disabling the default admin account is a prudent action to take, as these "default" accounts are frequently targeted in security attacks.

  • Please note that CVE-2022-1388 is not related to Atlassian products and you may please reach out to the specific vendor(s) for further details.

  • This KB article includes external links that are not managed by Atlassian. Therefore, we cannot assure the accuracy and availability of the content.

Updated on March 17, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community