| Require authorization for SOAP requests |
- New technical configuration name:
glide.basicauth.required.soap,
glide.soap.require_ws_security
- Old technical configuration name:
glide.basicauth.required.soap
- New description: The glide property
glide.basicauth.required.soap controls
whether basic authentication is required to make a SOAP request
to an instance. If
glide.basicauth.required.soap is not
set to the recommended value of true, then unauthenticated users
performing SOAP operations will be mapped to the soap.guest
user. This may enable an unauthenticated user to perform
operations on the instance as if a logged in user to the
instance. There may be additional impact if the user define
within com.glide.soap.guest_user is
assigned additional roles.
- Old description: The glide property
glide.basicauth.required.soap controls
whether authentication is required to make a SOAP request to an
instance. If glide.basicauth.required.soap
is not set to the recommended value of true, then authentication
is disable for SOAP requests on the instance. It allows
unauthenticated access to administrator or maint level
operations; thereby negating security controls within the
instance.
- New remediation: Ensure the property
glide.basicauth.required.soap is set to
the value true. Alternatively, configure the instance for WS
Security by setting the property
glide.soap.require_ws_security to true
and following the product documentation to configure WS Security
Profiles.
- Old remediation: Ensure the property
glide.basicauth.required.soap exists in
the sys_properties table and is set to true.
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Escape jelly script [Updated in Security Center 1.3 and 1.5] |
- New description: This property escapes all the JS and HTML
strings included in before they are written to the output
stream, preventing several XSS issues from occurring. If
glide.ui.escape_all_script is not set
to the recommended value of true, then escaping of scripts
injected into Jelly is disabled. Without this mitigation, the
platform becomes widely open to a variety of script injection
attacks. An attacker could execute arbitrary Rhino scripts on
the instance.
- Old description: The following property escapes all the JS and
HTML strings included in <j:jelly> ... </j:jelly> before
they are written to the output stream, preventing several XSS
issues from occurring. If
glide.ui.escape_all_script is not set
to the recommended value of "true", then escaping of scripts
injected into Jelly is disabled. Without this mitigation, the
platform becomes widely open to a variety of script injection
attacks. An attacker could execute arbitrary Rhino scripts on
the instance.
|
| Prevent Users From Accepting Warning To Bypass CSRF Validation [Updated in Security Center 1.3 and 1.5] |
- New short description: Prevent Users From Accepting Warning To
Bypass CSRF Validation
- Old short description: Enforce CSRF Token Strict Validation
- New description: This property prevents users from being able to
accept a warning which allows a potentially malicious request to
be sent to the instance. This warning appears when a POST
request fails due to having a mis-matched anti-CSRF token
belonging to one of the victim's other active sessions. If
glide.security.csrf.strict.validation.mode
is not set to the recommended value of true, then an attacker
can formulate a CSRF attack utilizing a leaked anti-CSRF token
from a different active session belonging to the victim.A POST
request to an instance contains an anti-CSRF token within
sysparm_ck or X-UserToken which matches the user's current
session. If the anti-CSRF token is instead tied to one of the
user's other active sessions, the POST request will return a 302
redirection to security_interceptor.do with a Continue button
available to the user when this property is set to false.
Clicking this button will re-submit the request to the instance,
except it will now having a valid anti-CSRF token. When this
property is set to true, the 302 redirection to the
security_interceptor.do page will not display a Continue button
and the user will not be allowed to resubmit the request.A
successful CSRF attack will allow an attacker to effectively
perform any operation that the victim is able to perform.
- Old description: This property enables CSRF token strict
validation which prevents the reuse of CSRF tokens. If
glide.security.csrf.strict.validation.mode
is not set to the recommended value of true, then CSRF tokens
could be reused which opens a door to CSRF attacks.
- New CVSS Score: 3.7
- Old CVSS Score: 3.1
|
| Require Authentication on Event Management HTTP Processor [New in Security Center 1.3, Updated in 1.5, and removed in 2.0] |
- New short description: Require Authentication on Event
Management HTTP Processor
- Old short description: Require Authentication on Event
Management HTTP Processor
|
| Enable Anti-CSRF token [New in Security Center 1.3, updated in 1.5, and removed in 2.0] |
- New description: Cross-Site Request Forgery (CSRF) is an attack
that forces authenticated users to submit a request to a Web
application against which they are currently authenticated. CSRF
attacks exploit the trust a Web application has in an
authenticated user. This property enables usage of a secure
token to identify and validate incoming requests. This token is
used to prevent cross site request forgery attacks. If
glide.security.use_csrf_token is not
set to the recommended value of true, then CSRF is
possible.
- Old description: Cross-Site Request Forgery (CSRF) is an attack
that forces authenticated users to submit a request to a Web
application against which they are currently authenticated. CSRF
attacks exploit the trust a Web application has in an
authenticated user. This property enables usage of a secure
token to identify and validate incoming requests. This token is
used to prevent cross site request forgery attacks. If
glide.security.use_csrf_token is not set to the
recommended value of true, then CSRF is possible.
|
| Enable HTML Sanitizer within Virtual Agent |
- New short description: Enable HTML Sanitizer within Virtual
Agent
- Old short description: Enable HTML Sanitizer
- New description: This property controls the whether the
HtmlSanitizerService is enabled. If
com.glide.cs.html.sanitizer.enabled is
not set to true, then a Stored Cross-Site Scripting (XSS) attack
is possible in the VA web client.
- Old description: This property controls the whether the
HTMLSanitezerService is enabled. If
com.glide.cs.html.sanitizer.enabled is
not set to true, then a Stored Cross-Site Scripting (XSS) attack
is possible in the VA web client.
|
| Deny internal access to explicit external roles [Updated in Security Center 1.3 and 1.5] |
|
| Require authorization for WSDL request |
- New description: If
glide.basicauth.required.wsdl is not
set to the recommended value of true, then this will disable
Basic Authentication for WSDL requests. WSDL is a protocol that
is used to describe web services such as instance table schemas,
and is not a mechanism for sharing the data within tables.
Setting this property to true allows for disclosure of table
schemas to unauthenticated users.
- Old description: If
glide.basicauth.required.wsdl is not
set to the recommended value of true, then this will disable
Basic Authentication for WSDL requests. This could lead to
information disclosure to unauthenticated users.
- New CVSS Score: 5.3
- Old CVSS Score: 4.3
|
| Enforce URL allowlist check |
Rule Script: Script has been updated to improve detection
accuracy. |
| Define restricted downloadable MIME types [Updated in Security Center 1.3, 1.5, and 2.0] |
- New short description: Define Restricted Downloadable MIME
Types
- Old short description: Restrict Downloadable MIME Types
- New description: If
glide.ui.attachment.download_mime_types
does include dangerous items such as
text/html,image/svg,image/svg+xml,application/xml, then
dangerous files could be rendered inline in the browser which
could lead to Cross Sitte Scripting attacks (XSS). This property
is the list of comma separated attachment mime types which will
not render inline in the browser. For example, including
text/html will force HTML files to be downloaded to the client
as attachments rather than viewed inline in the browser.
Maintaining this list properly will prevent cross site scripting
attacks.
- Old description: If
glide.ui.attachment.download_mime_types
does include dangerous items such as
text/html,image/svg,image/svg+xml,application/xml, then
dangerous files could be rendered inline in the browser which
could lead to Cross Sitte Scripting attacks (XSS). This property
is the list of comma separated attachment mime types which will
not render inline in the browser. For example, including
text/html will force html files to be downloaded to the client
as attachments rather than viewed inline in the browser.
Maintaining this list properly will prevent cross site scripting
attacks.
|
| Escape HTML in list views [Updated in Security Center 1.3 and 1.5] |
- New description: This property helps sanitize list view
displaying of HTML fields. If
glide.ui.escape_html_list_field is not
set to the recommended value of true, then a malicious user can
inject HTML code within the form field to execute unwanted
scripts on different client/user sessions. This could
potentially be leveraged by attackers to steal session
information and sensitive data.
- Old description: The following property helps sanitize list view
displaying of HTML fields. If
glide.ui.escape_html_list_field is not
set to the recommended value of true, then a malicious user can
inject HTML code within the form field to execute unwanted
scripts on different client/user sessions. This could
potentially be leveraged by attackers to steal session
information and sensitive data.
|
| Restrict email domains for external user registration [Updated in Security Center 1.3, 1.5, and 2.0] |
- New short description: Restrict Email Domains for External User
Registration
- Old short description: Restrict Email Domains for External User
Registration (Plugin Applicability: External User
Registration)
- New Description: The
sn_ext_usr_reg.allowed_email_domains
property defines which email addresses are allowed to
self-register to a ServiceNow instance. If
sn_ext_usr_reg.allowed_email_domains is
not set with a list of acceptable domains, then users with any
email address are allowed to register accounts on the instances.
If not defined, malicious actors could perform registration
using emails addresses from unwanted domains to gain
authenticated access to the instance.
- Old Description: If
sn_ext_usr_reg.allowed_email_domains is
not set with a whitelist of acceptable domains, then malicious
actors could perform registration using emails addresses from
unwanted domains.
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Enable CAPTCHA for External User Registration |
- New short description: Enable Captcha for External User
Registration
- Old short description: Enable Captcha for External User
Registration (Plugin Applicability: External User
Registration)
- Rule Script: Script has been updated to improve detection
accuracy
|
| Minimize external user registration link expiration duration |
- New short description: Minimize External User Registration Link
Expiration Duration
- Old short description: Minimize External User Registration Link
Expiration Duration (Plugin Applicability: External User
Registration)
- Rule Script: Script has been updated to improve detection
accuracy
|
| Disallow infected file download |
- New short description: Disallow Infected File Download
- Old short description: Disallow Infected Files Download
- New remediation: Ensure the property
com.glide.snap.infected_download_allowed
is set to False.
- Old Remediation: Ensure the property
com.glide.snap.infected_download_allowed
is set to True.
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Validate file mime type in AttachmentCreator soap web service [New in Security Center 1.3 and updated in 1.5] |
- New description: If
glide.attachment.enforce_security_validation
is not set to the recommended value of true, then there will be
no validation for attachment mime-type and dangerous files could
be uploaded on the system using wrong file extensions. When this
property is set to true, files are uploaded with the correct
file type extension. It is a security best practice to validate
file uploads at least with MIME type validation.
- Old description: If
glide.attachment.enforce_security_validation
is not set to the recommended value of True, then there will be
no validation for attachment mime-type and dangerous files could
be uploaded on the system using wrong file extensions. When this
property is set to true, files are uploaded with the correct
file type extension. It is a security best practice to validate
file uploads at least with MIME type validation.
- New remediation: Ensure the property
glide.attachment.enforce_security_validation
is set to true.
- Old Remediation: Ensure the property
glide.attachment.enforce_security_validation
is set to True.
|
| Disable MultiSSO Debugging |
- New short description: Disable MultiSSO Debugging
- Old short description: Disable MultiSSO Debugging (Plugin
Applicability: Multiple Provider Single Sign-On)
|
| Reduce the Scope of the IP Allow List for an Instance |
- New technical configuration name:
glide.ip.authenticate.strict
- Old technical configuration name:
glide.ip.authenticate.strict,glide.ip.authenticate.allow.secured
- New description: If
glide.ip.authenticate.strict is set to
true, then internal ServiceNow personelle and systems can only
make inbound connections to the instance from essential IP
ranges. This limit's ServiceNow's visibility into the instance
to essential internal infrastructure, and prevents access by
broader ServiceNow personelle such as support and sales staff
via corporate networks. When set to "true", the
glide.ip.authenticate.allow property is
used to grant internal ServiceNow inbound connections. If not
set to true, then a broader ServiceNow internal IP range as
defined in glide.ip.authenticate.allow is
used to grant internal ServiceNow inbound connections.
- Old description: If
glide.ip.authenticate.strict is set to
true, then only IP ranges specified in
glide.ip.authenticate.allow.secured can
make inbound connections to the instance. This property contains
a list of only essential ServiceNow internal IP ranges (Secure
VPN, DC). If
glide.ip.authenticate.allow.secured is
not set to the recommended value or permutation of "10.0.0.0/8,
37.98.232.0/21, 103.23.64.0/22, 149.96.0.0/17, 149.96.0.0/16,
199.91.136.0/21, 148.139.0.0/16, 127.0.0.1" or the newer value
list "10.0.0.0/8, 37.98.232.0/21, 103.23.64.0/22, 149.96.0.0/17,
149.96.0.0/16, 199.91.136.0/21, 148.139.0.0/16, 127.0.0.1,
0:0:0:0:0:0:0:1, ::1" which adds IPv6 localhost to Utah, then it
may allow untrusted sources outside of SN DataCenter and secure
VPN to access sensitive monitoring endpoints on instances.
- New remediation: Ensure the property
glide.ip.authenticate.allow.secured
contains only trusted values and that the property
glide.ip.authenticate.strict is set to
true.
- Old remediation: Ensure the property
glide.ip.authenticate.allow.secured
contains only values in "10.0.0.0/8, 37.98.232.0/21,
103.23.64.0/22, 149.96.0.0/17, 149.96.0.0/16, 199.91.136.0/21,
148.139.0.0/16, 127.0.0.1, 0:0:0:0:0:0:0:1, ::1" and that the
property glide.ip.authenticate.strict is
set to true.
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Disable Entity Expansion within the XMLDocument2 Streaming Parser |
- New short description: Disable Entity Expansion within the
XMLDocument2 Streaming Parser
- Old short description: Disable Entity Expansion
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Apply domain separation on dot walked fields |
- New short description: Apply Domain Separation on Dot Walked
Fields
- Old short description: Apply Domain Separation on Dot Walked
Fields (Plugin Applicability: Domain Separation)
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Restrict permissions for CMDB model |
Rule Script: Script has been updated to improve detection
accuracy. |
| Require clearing pasteboard when backgrounding mobile application |
- New description: The
glide.sg.clear_pasteboard_when_backgrounded
property controls if text copied from ServiceNow mobile app is
kept in the clipboard and pasteboard after the app is in
background mode. If it is not set to the recommended value of
true, then sensitive information may be disclosed to the Android
or iOS clipboard where it can be exposed to other applications
on the device.
- Old description: The property
glide.sg.clear_pasteboard_when_backgrounded
controls if text copied from ServiceNow mobile app is kept in
the clipboard/pasteboard after the app is no longer in focus. If
it is not set to the recommended value of true, then sensitive
information may be disclosed to the Android or iOS clipboard
where it can be exposed to other applications on the
device.
|
| Enable account recovery |
- New short description: Enable Account Recovery
- Old short description: Enable Account Recovery (Plugin
Applicability: Multiple Provider Single Sign-On)
|
| Disable SQL error messages |
- New description: If glide.db.loguser is
not set to the recommended value of false, then sensitive
server-side error messages could be displayed to end-users.
Error messages can include stack traces and information about
the structure of the database that could provide an attacker the
knowledge needed to perform successful SQL Injection should the
preconditions exist. As defense in depth, these error messages
should not be displayed to the end user.
- Old description: If glide.db.loguser is not
set to the recommended value of false, then sensitive
server-side error messages could be displayed to end-users.
|
| Enforce relative links |
- New description: The
glide.cms.catalog_uri_relative property
enforces relative links from the URI parameter on
/ess/catalog.do. If
glide.cms.catalog_uri_relative is not
set to the recommended value of true, then the URL will not be
sanitized with the enforceRelativeURL(url) function. Absolute
URLs can pose a security risk when used as a part of parameter
or a field value, thus redirecting the source page to an
adversary-controlled website. This property impacts the legacy
Content Management System (CMS) which has been replaced with
Service Portal.
- Old description: The
glide.cms.catalog_uri_relative property
enforces relative links from the URI parameter on
/ess/catalog.do. If
glide.cms.catalog_uri_relative is not
set to the recommended value of true, then the URL will not be
sanitized with the enforceRelativeURL(url) function. Absolute
URLs can pose a security risk when used as a part of parameter
or a field value, thus redirecting the source page to an
adversary-controlled website.
|
| Minimize Entity Expansion Threshold for GlideXMLUtil Scriptable |
- New short description: Minimize Entity Expansion Threshold for
GlideXMLUtil Scriptable
- Old short description: Minimize Entity Expansion Threshold
- New description: This property controls the maximum amount of
entity expansion within an XML Parser. If
glide.xmlutil.max_entity_expansion is
not set to the recommended value of 3000 or less, then the
GlideXMLUtil parsing scriptable may be vulnerable to denial of
service attacks.
- Old description: This property controls the maximum amount of
entity expansion within an XML Parser. If
glide.xmlutil.max_entity_expansion is
not set to the recommended value of 3000 or less, then XML
parser may be vulnerable to denial of service attacks.
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Disable GlideRecord Scope Fencing Legacy Behavior |
- New description: GlideRecord provided cross scope create/update
access to tables that were not configured with that level of
access. In order to prevent customers from having applications
broken when this scoped access behavior was patched, the
property
glide.record.legacy_cross_scope_access_policy_in_script
was created. When true, cross scope access falls back onto
legacy behavior (insecure). This property disables scope
fencing, allowing scoped apps to access global script
interfaces. It is best security practice to have scope fencing
restrictions in place. Scoping ensures applications can only
access resources with explicit access or within their scope,
following the principle of least privilege. Disabiling this
feature could lead to confidentiality, availability, and
integrity impacts.
- Old description: Legacy behavior provided create/update access
to tables that did not allow so. In order to prevent legacy
customers from having applications broken when this scoped
access behavior was patched, the property
glide.record.legacy_cross_scope_access_policy_in_script
was created. When true, cross scope access falls back onto
legacy behavior (insecure). This property disables scope
fencing, allowing scoped apps to access global script
interfaces. It is best security practice to have scope fencing
restrictions in place. Scoping ensures applications can only
access resources with explicit access or within their scope,
following the principle of least privilege. Disabiling this
feature could lead to confidentiality, availability, and
integrity impacts.
|
| Enable SSL in LDAP authentication [Updated in Security Center 1.5 and 2.0] |
Script has been updated to improve detection accuracy. |
| Enforce password reset on api requests |
Script has been updated to improve detection accuracy. |
| Do not apply password policy at login [Updated in Security Center 1.5 and removed in 2.0] |
-
New description: By setting the property
glide.apply.password_policy.on_login to False
there will be no password complexity enforcement at login
time. Setting the property to True will enforce password
complexity and lead to organization policy compliance
issues.
As per ASVS 4.03 v2.1.9 recommendations :
Verify that there are no password composition rules limiting
the type of characters permitted. There should be no
requirement for upper or lower case or numbers or special
characters. (C6)
Instead of password complexity enforcement, ASVS
recommendations are to enforce a minimum length of 12
characters for password length.
Ref: OWASP ASVS v4.0
Authentication
- Old description:
By setting the property
glide.apply.password_policy.on_login
to False there will be no password complexity enforcement at
login time. Setting the property to True will enforce
password complexity and lead to organisation policy
compliance issues. As per ASVS 4.03 v2.1.9
recommendations : Verify that there are no password
composition rules limiting the type of characters permitted.
There should be no requirement for upper or lower case or
numbers or special characters. (C6) Instead of
password complexity enforcement, ASVS recommendations are to
enforce a minimum length of 12 characters for password
length. Ref: OWASP ASVS v4.0
Authentication
|
| Do not use demo certificates for active SAML configurations |
- New short description: Do Not Use Demo Certificates for Active
SAML Configurations
- Old short description: Do Not Use Demo Certificates for Active
SAML Configurations (Plugin Applicability: Multiple Provider
Single Sign-On)
|
| Minimize SAML notBefore or notOnOrAfter constraint duration [Updated in Security Center 1.3 and 1.5] |
- New short description: Minimize SAML "notBefore" or
"notOnOrAfter" Constraint Duration
- Old short description: Minimize SAML "notBefore" or
"notOnOrAfter" Constraint Duration (Plugin Applicability:
Multiple Provider Single Sign-On)
|
| Block Expired Anti-CSRF Tokens |
- New short description: Block Expired Anti-CSRF Tokens
- Old short description: Block Expired CSRF Tokens
|
| Require CAPTCHA for guest walk-up experience in customer service application |
- New short description: Require Captcha for Guest Walk-up
Experience in Customer Service Application
- Old short description: Require Captcha for Guest Walk-up
Experience in Customer Service Application (Plugin
Applicability: Guest Walk-up Experience for Customer
Service)
|
| Check impersonation on ACL evaluation in HR App [New in Security Center 1.3 and updated in 1.5] |
- New short description: Check Impersonation on ACL Evaluation in
HR App
- Old short description: Check Impersonation on ACL Evaluation in
HR App (Plugin Applicability: Human Resources Scoped App)
|
| Restrict HR case updates from personal emails |
- New short description: Restrict HR Case Updates from Personal
Emails
- Old short description: Restrict HR Case Updates from Personal
Emails (Plugin Applicability: Human Resources Scoped App)
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Enable MID audit log |
- New short description: Enable MID Audit Log
- Old short description: Enable MID Audit Log (Plugin
Applicability: MID Server)
|
| Required JMS connection factories |
- New short description: Required JMS Connection Factories
- Old short description: Required JMS Connection Factories (Plugin
Applicability: MID Server)
- Rule Script: Script has been updated to improve detection accuracy.
|
| Limit attachment size in training and prediction flows [New in Security Center 1.3 and updated in 1.5] |
- New short description: Limit Attachment Size in Training and
Prediction Flows
- Old short description: Limit Attachment Size in Training and
Prediction Flows (Plugin Applicability: Platform Document
Intelligence)
|
| Ensure archive table ACLs are checked |
Rule Script: Script has been updated to improve detection
accuracy. |
| Log session audit events |
- New description: When the Glide Property
glide.authenticate.session_access.log_audit_event
is set to true, session audit events will be created in the
sys_session_access_audit table. It is best practice to log
information about who accessed a session to assist in malicious
actor investigations. Information logged will include user,
session ID (non-sensitive), IP address, roles, and
policies.
- Old description: When the Glide Property
glide.authenticate.session_access.log_audit_event
is set to true, session audit events will be created in the
sys_session_access_audit table. It is best practice to log
general information about session access to assist in malicious
actor investigations. Information logged will include user,
session ID (non-sensitive), IP address, roles, and
policies.
|
| Enforce scoped ACL access for information request playbooks [New in Security Center 1.3 and updated in 1.5] |
- New short description: Enforce Scoped ACL Access for Information
Request Playbooks
- Old short description: Enforce Scoped ACL Access for Information
Request Playbooks
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Proactively Invalidate Sessions After Defined Durations |
- New description: The Glide Property
glide.active.session.timeout.invalidate.session
controls if a timed out session is proactively invalidated
before the Tomcat container invalidates the session. When this
property is not set to true, there can be a small interval of
time where a timed out session is not invalidated (60+ seconds,
depending on queue size). If a session is hijacked, an attacker
may be able to utilize a session during this small period of
time.
- Old description: The Glide Property
glide.active.session.timeout.invalidate.session
controls if a timeout session is proactively invalidated before
the Tomcat container. When this property is not set to true,
there can be a small interval of time where a timed out session
is not invalidated (60+ seconds, depending on queue size). If a
session is hijacked, an attacker may be able to utilize a
session during this small period of time.
|
| Limit HTTP response body size [New in Security Center 1.3 and updated in 1.5] |
- New short description: Limit HTTP Response Body Size
- Old short description: Ensure HTTP Responses Do Not Trigger a
OutofMemory Exception Due to Response Body Size
|