User Criteria Knowledge potential vulnerability, really "safe" since Orlando or not?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-18-2024 12:28 AM
I know the discussion about https://appomni.com/ao-labs/servicenow-knowledge-bases-data-exposures-uncovered/ went on in january when ServiceNow communicated about the potential "misconfiguration" which could cause knowledge articles to be publicly accessible but all those threads are closed so i'm starting a new one.
The article says this while describing the property glide.knowman.block_access_with_no_user_criteria:
The main guardrail, a security property that denies access by default to KBs without User Criteria, is enabled by default for instances created since the Orlando release.
But the security page they link to says that the value is default false.
And looking at the patch history, all patches wants to set it to false and therefore create skip-records for those who has the secure setting of true. I could be totally wrong but it feels weird!
How does yours look (don't post anything sensitive of course)?
https://<instancename>.service-now.com/now/nav/ui/classic/params/target/sys_update_version_list.do%3Fsysparm_query%3DnameSTARTSWITHsys_properties_b8a2fb1acbb400108ad442fcf7076d9d
Looking at the official documentation it says this:
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1123580
Q: Do I need to take any action if I am on Pre-Orlando release?
A: If you're on a Pre-Orlando release and set the system property "glide.knowman.block_access_with_no_user_criteria" to "true," you'll need to update this setting again to "true" after you upgrade to later releases.
Some might think that we're safe just because we came in after Orlando but that's not really correct according to me.
- 801 Views