Disable Entity Expansion within the XMLDocument2 Streaming Parser [Updated in Security Center 1.5]
If customizations do not require entity expansion, use the glide.stax.allow_entity_resolution property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.
Disable entity expansion on your instance to secure your instance from attacks such as ability to read system files, and Denial of Service. Use the system property to disallow XML entities to be expanded during parsing by the streaming parser (XMLDocument2).
Set the glide.stax.allow_entity_resolution system property to false to disable entity expansion on your instance. If this property does not appear in the System Properties [sys_properties] table, the default value is true. Create the property record and set the value to false to change it's value.
Prerequisites
- Set the glide.xml.entity.whitelist.enabled and glide.stax.whitelist_enabled properties to true. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0] and Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3].
- Define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which is the only URLs that can be reached using XML Entity processing. property. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0].
More information
| Attribute | Description |
|---|---|
| Property name | glide.stax.allow_entity_resolution |
| Configuration type | System Properties (/sys_properties_list.do) |
| Category | Validation, sanitization, and encoding |
| Purpose | This remediation control must be enabled to defend against an XML Entity Expansion/Billion Laugh attack. |
| Recommended value | false |
| Default value | false |
| Functional impact | If the customization is using entity expansion, then, the ServiceNow AI Platform might block further processing. |
| Security risk | (Critical) An attacker can use this vulnerability to expand data exponentially, quickly consuming all system resources. |
| Workaround | If the customization requires entity expansion, set this property to true and follow the steps documented in Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3]. |
To learn more about adding or creating a system property, see Add a system property
For more information about OWASp resources, see OWASp.