Queries about May 2025 Maintenance - KB2046494

aniciagan · ‎07-09-2025

Hi all,

Based on this KB - https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046494

The objective here is to follow the article and upgrade to address data inference vulnerability. There are multiple issues that I am facing and this is done in PDI (Xanadu).

Issue 1: Validation Checks Failed - (sys_security_attribute) table:
Issue when querying in sys_security_attribute, I am unable to find the below in the search result

Security Attributes (sys_security_attribute) name	Security Attributes (sys_security_attribute) sys_id	Active	COMMENTS FROM ME
UserIsAuthenticatedAndHasRightsToRead	30b1557ea3dc6210103da1fdc31e6128	True	Missing from Xanadu & Washington Version

Issue 2: Validation Checks Failed - (sys_security_acl) table:
Issue when querying in sys_security_acl, I am unable to find the below in the search result

Access Control (sys_security_acl) name	Access Control (sys_security_acl) sys_id	Decision Type	Operation	COMMENTS FROM ME
.	052f3a92a3102210103da1fdc31e6125	Deny-Unless	query_range	Passed in Yokohama Missing in Xanadu
.	7fce54b64ff42210ee1a3c11b1ce0b97	Allow-if	query_range	Passed in Yokohama Missing in Xanadu

Issue 3: Role has been modified from "Public" to "Nobody"

Issue here is that I am unable to find "Nobody". Should there be a role that has the name "Nobody"? or should i just remove "Public"?

As per KB "

Review changes to ACLs and security attributes

The default behavior of some of the existing ACLs has been updated to help further restrict access by unauthenticated users. Please review these changes as they may warrant further action to meet your business needs.

Access Control (sys_security_acl) name	Access Control (sys_security_acl) sys_id	Change
.	5c3e8c50935502102504ff92f189187c	Role has been modified from ‘public’ to ‘nobody’

Issue 4: Unable to Trigger Script

As per KB, "Running the QueryRangeACLAuditor

Please refer to the validation steps earlier in this KB for details on validating the update. It is recommended that you review the validation steps above after each run is complete. The QueryRangeACLAuditor Script Include can also be run in a script as follows:

new global.QueryRangeACLAuditor().auditQueryRangeACLs();"

I went to All -> Scripts - Background

then it showed a white screen

Hoping to seek help from the community. Thanks in advance.

Mark Manders · ‎07-09-2025

Please realize the PDIs aren't the same as customer/partner instances. Chances are that your PDI did not have the same maintenance as regular instances.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

AniciaG · ‎07-09-2025

Hi Mark,

Even so, i can execute step 4 : Unable to Trigger Script - "Running the QueryRangeACLAuditor".

Any idea how i can do this?

Thanks!

Mark Manders · ‎07-10-2025

I have no information about your PDI. I don't know when it has been created or what kind of updates it has had. You need to check on what is and what isn't installed.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

jeffreyluto · ‎07-16-2025

Good Point the PDI might be a version where the security flaw is already patched or will be once you reset or restart it.