Minimize Entity Expansion Threshold for GlideXMLUtil Scriptable [Updated in Security Center 1.3 and 1.5]
Use the glide.xmlutil.max_entity_expansion property to change the maximum entity expansion limit to a smaller number.
This property controls the maximum amount of entity expansion within an XML Parser. If glide.xmlutil.max_entity_expansion is not set to the recommended value of 3000 or less, then the GlideXMLUtil parsing scriptable may be vulnerable to denial of service attacks.
Note:
500 is the default minimum imposed by the ServiceNow AI Platform, which is
considered to be a safe threshold.
More information
| Attribute | Description |
|---|---|
| Property name | glide.xmlutil.max_entity_expansion |
| Configuration type | System Properties (/sys_properties_list.do) |
| Category | Validation, sanitization, and encoding |
| Purpose | This remediation control must be enabled to defend against XML Entity Expansion/Billion Laugh attack. |
| Recommended value | 3000 |
| Default value | 100000 |
| Security risk rating | 5.3 |
| Functional Impact | If the customization is using large entity expansion, then, the ServiceNow AI Platform might block further processing. |
| Security risk | (Moderate) An attacker can use this vulnerability to expand data exponentially, quickly consuming all system resources. |
To learn more about adding or creating a system property, see Add a system property.