ServiceNow has been alerted to a possible misconfiguration concern that may impression the safety of its platform. The corporate is actively addressing the problem and dealing in direction of a decision.
The problem includes Entry Management Lists (ACLs), that are used to manage entry to tables and columns on the platform.
If an ACL is empty or doesn’t have any roles, circumstances, or scripts, it might enable unauthorized customers, together with company, to entry some assets.
ServiceNow has discovered that unauthenticated customers have restricted entry to the platform and might solely entry some licensed pages.
Nonetheless, some public portal widgets, akin to SimpleListWidget, can question knowledge from the system. ServiceNow advises prospects to observe these steps to examine and repair their ACLs:
Verify ACL Configurations
Clients ought to discover ACLs that would not have any roles, circumstances, or scripts.
In the event that they are not looking for unauthenticated customers to entry these tables, they need to add `gs.isLoggedIn()` to the script part of the ACLs. This can forestall unauthenticated customers from accessing these tables by means of public portal widgets.
Common Safety Measures
ServiceNow recommends a radical assessment of all ACLs, particularly these which are empty or have the position “Public,” to verify they match the enterprise and safety necessities.
Clients also needs to assessment their public widgets and disable the “Public” flag if they don’t want them.
Clients ought to use IP Tackle Entry Management to limit entry to their situations to solely trusted IP addresses. Alternatively, they’ll use Adaptive Authentication insurance policies to use extra fine-grained authentication management, permitting cellular entry however limiting entry to particular IP ranges and subnets.
Express Roles Plugin
Cases that use the Express Roles plugin should not affected by this situation. ServiceNow advises prospects who use this plugin to examine their ACLs which have the “public” position and assessment their Person Standards configurations.
ServiceNow stresses the significance of taking proactive safety measures and urges prospects to observe these steps to guard their situations.
The rules for assessing Person Standards will be situated at KB1123580.
ServiceNow will proceed to research the problem and supply updates and steerage as wanted. Keep tuned for extra data on this situation.
Shield your self from vulnerabilities utilizing Patch Supervisor Plus to patch over 850 third-party functions shortly. Strive a free trial to make sure 100% safety.