The security issue is acknowledged by ServiceNow and tracked under PRB1839980 which is targeted for the upcoming Zurich release. A patch is currently available for the versions Xanadu Patch 7[2] and Yokohama Patch 2[3]. A patch for Yokohama Patch 1a is currently being tested for release. There are currently no plans to backport the fix for the Washington release. We recommend to update all ServiceNow instances as soon as possible.
To minimize the risk of exploitation for unpatched instances we recommend to limit the
amount of users on an instance to the minimum, and make sure to deactivate accounts
when they are no longer in use. Additional logging and monitoring should be put in place
to detect and alert on suspicious requests within the application for the following scenarios:
• Search queries by users on the table sys_email table
• Password resets originating from a different IP address than the user’s regular IP
address.
• Interactive logins to the default administrator (admin) account
