Handling OpenSSL Vulnerability in ServiceNow ACC

PaulMcD
Tera Contributor

‎10-02-2024 04:56 AM

Question on the critical vulnerability in the ServiceNow Agent Client Collector (ACC) related to its use of an outdated OpenSSL version (1.0.2zg). We are currently on ACC version 3.4.0, and I’ve seen that version 3.5.0 still embeds this older OpenSSL.

 

How are others addressing this issue? Has anyone found a workaround or received updates from ServiceNow about a patch or new release?

 

Any insights would be greatly appreciated!

 

Paul

0 Helpfuls
  • 595 Views
2 REPLIES 2

Severin Launiau
Giga Guru

‎10-22-2024 09:34 PM

@PaulMcD: the OpenSSL bundled with ACC package is only used by external checks - not by ACC itself. You can generate an SBOM on the agent and see the binary carries the golang static libraries.

dougw
Tera Expert
In response to Severin Launiau

‎05-12-2025 12:33 PM

I believe ACC uses OpenSSL if using mTLS auth between the Agent and the MID, or between the Agent and MID-Less (ITOM Cloud services and/or DEX)

0 Helpfuls