Check allow list package calls (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Review and remove inclusion list package call entries as needed from the sys_whitelist_package table.

    Package call entries can access Java resources on the server-side to perform application-based operations without appropriate validation. Because it can cause unauthorized disclosures or alteration of customer data, it is a serious security concern.

    More information

    Attribute Description
    Table Name sys_whitelist_package
    Note:
    In recent releases, only Customer Service and Support can access this table; not even administrators are able to do so.
    Configuration type Table
    Configure in Instance Security Center Yes
    Purpose To review and remove entries from this table.
    Recommended value No record should exist in the table (the list must be empty).
    Functional ImpactThere should be no impact as long as the results from running the Packages call removal tool are reviewed and approved.

    To ensure proper functioning of the instance, test the changes in a non-production environment before deploying in the production environment. To learn more, see Packages call removal tool.
    Security risk (High) client-side API calls that result in data retrieval or object access on server are deemed to be dangerous from a security standpoint. Validate these items for authorization and restriction of sensitive object access.
    Workaround Contact ServiceNow Support for assistance.

    Steps to configure

    1. Activate the Packages Call Removal Tool plugin. To learn more, see Packages call removal tool.
    2. Using filter navigator, navigate to Packages Call Removal Utility.
    3. Click each script starting from (1) to (4). Wait for the output, then proceed to the next one.
    4. Once you run the script (4), a listing of affected fields appears on the Packages Call Items page.
    5. Resolve all the items in the Proposed and Error sections.
      Note:
      This tool might report some package calls used in sa_mapping_ext_commands and sa_custom_operation. These package calls belong to the MID Server. Because there are no classes, the code runs in MID Server. If you find the following packages calls under the Errors section, mark them as Rejected (Ignored). The tool doesn't report that package call again.
      • Packages.com.snc.sw.util.JSONUtil.toJSONPlain(file_content);
      • Packages.com.snc.sw.util.JSONUtil.toJSONPlain(file_name);
      • Packages.com.snc.sw.commands.HttpCallHandler;
      • Packages.com.snc.sw.dto.ProviderType.SSH
    6. Contact ServiceNow Support for further remediation.