Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3]
If customizations do not require entity expansion, use the glide.xmlutil.max_entity_expansion property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.
If the glide property glide.stax.whitelist_enabled doesn't exist in the System Properties [sys_properties] table, or is not set to the recommended value of true, then all external entities are allowed when the glide property glide.stax.allow_entity_resolution is set to the value of true.
If customizations don't require entity expansion, use the glide.stax.allow_entity_resolution property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.
- If you set glide.stax.allow_entity_resolution to true, all external entities attempt to resolve or expand subject entities, subject to the setting of the glide.stax.whitelist_enabled property.
- If you set glide.stax.allow_entity_resolution to false, all entity resolution and expansion is blocked. To learn more about this property, see Disable Entity Expansion within the XMLDocument2 Streaming Parser [Updated in Security Center 1.5].
When glide.stax.whitelist_enabled is set to true, define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which are the only URLs that can be reached using the XML entity processing property. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0]. Attackers can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources.
Prerequisites
- Set the glide.xml.entity.whitelist.enabled and glide.stax.whitelist_enabled properties to true. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0].
- Define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which is the only URLs that can be reached using XML Entity processing property. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0].
More information
| Attribute | Description |
|---|---|
| Property name | glide.stax.whitelist_enabled |
| Configuration type | System Properties (/sys_properties_list.do) |
| Category | Validation, sanitization, and encoding |
| Purpose | This remediation control must be enabled to defend against an XML Entity Expansion/Billion Laugh attack. |
| Recommended value | true |
| Default value | true |
| Security risk rating | 9.8 |
| Functional impact | If the customization is using entity expansion, then, the ServiceNow AI Platform might block further processing. |
| Security risk | An attacker can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources. |
| Workaround | If the customization requires entity expansion, set this property to true and follow the steps documented in Restrict XML external entities [Updated in Security Center 1.3 and 2.0]. |
To learn more about adding or creating a system property, see Add a system property.
For more information about OWASp resources, see OWASp.