Check allow list member calls (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Review and remove inclusion list member call entries as needed from the sys_whitelist_member table.

    Member call entries can access the Java resources on the server-side to perform application-based operations without appropriate validation. Because it can cause unauthorized disclosures or alteration of customer data, it’s a serious security concern.

    More information

    Attribute Description
    Table Name sys_whitelist_member
    Note:
    In recent releases, only ServiceNow employees can access this table. Not even administrators are able to do so.
    Configuration type Table
    Configure in Instance Security Center Yes
    Purpose To review and remove entries from this table.
    Recommended value No record should exist in the table (the list must be empty).
    Functional ImpactThere should be no impact as long as you review and approve the results generated when running the Packages call removal tool.

    To promote proper functioning of the instance, test the changes in a non-production environment before deploying in the production environment. To learn more, see Packages call removal tool.
    Security risk (High) client-side API calls that result in data retrieval or object access on server are deemed to be dangerous from a security standpoint. Validate these items for authorization and restriction of sensitive object access.

    Steps to configure

    Note:
    The following steps are similar to the steps outlined in the Steps to Configure sections in:

    If you already completed them, you can skip these steps.

    1. Activate the Packages Call Removal Tool plugin. To learn more, see Packages call removal tool.
    2. Using the filter navigator, navigate to Packages Call Removal Utility.
    3. Select each script starting from (1) to (4). Wait for the output, then proceed to the next one.
    4. Once you run the script (4), a listing of affected fields appears on the Packages Call Items page.
    5. Resolve all the items in the Proposed and Error sections.
      Note:
      This tool might report some package calls used in sa_mapping_ext_commands and sa_custom_operation. These package calls belong to the MID Server. Because there are no classes, the code runs in MID Server. If you find the following member calls under the Errors section, mark them as Rejected (Ignored). The tool doesn't report that member call again.
      • Packages.com.snc.sw.util.JSONUtil.toJSONPlain(file_content);
      • Packages.com.snc.sw.util.JSONUtil.toJSONPlain(file_name);
      • Packages.com.snc.sw.commands.HttpCallHandler;
      • Packages.com.snc.sw.dto.ProviderType.SSH
    6. Contact ServiceNow Support for further remediation.