Emergency Patching Process

tim2222 · ‎08-21-2018

Hi,

We received a notification a week ago of the need to apply security patches to our instances, as the urgency required ServiceNow to follow the "Emergency Patching Process".

What is this process? I've searched KBs, patching documentation and community (which got me to here) but found no reference to it. What is expected of customers under this process?

For this specific instance and more generally I struggle to find sufficient detail on security issues. In the wider world we have CVSS/CVE assessments that tell us how seriously to treat a given security concern based on standardised calculations. The vulnerabilities I see published for ServiceNow indicate the product area but don't describe seriousness/likelihood (at least as a metric that can be compared).

All the best,
Tim

Goran WitchDoc · ‎08-21-2018

Hi Tim,

Hmm.. Never heard of that before. Seeing the forum this is posted in, what release/patchlevel are you on? I would talk your ServiceNow CAM or put in a high priority ticket in HI to get the clarification. If you get any answer, I really hope you post it here for us other to read.

//Göran

richelle_pivec · ‎08-21-2018

Hi Tim,

I got the same email you received. For those that didn't, here's what it said:

ServiceNow has identified a security-related issue in specific versions of ServiceNow. To address this issue, ServiceNow has developed patches that are being deployed to potentially affected instances. As this is a security-related issue, ServiceNow is following its emergency patching process and deploying patches as quickly as possible.
You are receiving this notice because one or more of your instances was identified as being potentially affected by this issue.
Your Jakarta QPP target version is being updated to Jakarta Patch 9c and will be patched on the same schedule as previously specified in this COM record.Note: Instances on Kingston and London are not affected by this issue.

So, basically they are doing an emergency patch and adding our normal quarterly patch items to it. If you don't already have a login to ServiceNow HI (https://hi.service-now.com/) I recommend that you get one or find the person at your company who has one as that is where you will find the specifics around quarterly patching and the release notes for what is included in this quarter's patch. It will also give you the dates/times of your changes for your patches.

They usually do two Changes. One for your non-Prod instance(s) and then approximately 2 weeks later one for your Prod instance. Our non-Prod instance gets the patch tonight and our Prod instance on 9/5. I generally make a corresponding Change in our instance for anything ServiceNow does so that we have a record of it, and so that my director can approve it. (If there is downtime, I need to take it to our CAB meetings.)

I hope that's helpful.

Richelle

tim2222 · ‎08-21-2018

Hi Goran, Richelle,

It's the first time we've had this kind of contact in 4 years of service.

We had a couple of CHG's spun up for us on sub-production that would've undone another Hot Fix important to us. After discussion we were asked to schedule Hot Fix 7 onto our sub-production. I'm going through our internal change processes to apply the fix into Production.

In the initial communication and in a COM follow up the "emergency patch process" was referred to a couple of times. I asked what this was but didn't get an answer. (I've read through the QPP documentation but this doesn't seem to reference any out-of-schedule patching.)

I was hoping someone from ServiceNow would chip in to explain what this process is - given security responses depend upon host and customer it seems sensible to tell customers what the process is! I could raise a HI ticket but when I asked about the patch, first line support told me they can't help, so presumably they aren't going to know anything about the process either.

Thanks,
Tim

Goran WitchDoc · ‎08-24-2018

To bad it not possible to tag here. But let's see if we can get ServiceNow's attention to this thread.

//Göran