Restrict XML external entities [Updated in Security Center 1.3]

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Ensure that the glide.xml.entity.whitelist and glide.xml.entity.whitelist.enabled properties are set to the recommended values to prevent XML external entity (XXE) attacks.

    If glide.xml.entity.whitelist is not set to the recommended value of http://java.sun.com/j2ee/dtds, and glide.xml.entity.whitelist.enabled is not set to true, then a malicious external entity can be enabled which could cause an XML external entity (XXE) attack. An attacker can use the document type definition (DTD) to include arbitrary HTTP requests that the server may execute. This could lead to additional attacks using the server's trust relationship with other entities. Extraneous values besides http://java.sun.com/j2ee/dtds in the whitelist may be okay but are unnecessary for the out of the box platform state. These extra values should be reviewed by instance admins to determine if they are safe.

    Warning:
    glide.xml.entity.whitelist.enabled is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Property names glide.xml.entity.whitelist and glide.xml.entity.whitelist.enabled
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Data types String for glide.xml.entity.whitelist, and boolean for glide.xml.entity.whitelist.enabled.
    Purpose This remediation control must be enabled to defend against XXE attacks.
    Recommended value http://java.sun.com/j2ee/dtds for glide.xml.entity.whitelist, and true for glide.xml.entity.whitelist.enabled.
    Default value http://java.sun.com/j2ee/dtds for glide.xml.entity.whitelist, and boolean for glide.xml.entity.whitelist.enabled.
    Security risk rating 9.8
    Functional Impact If the customization is using external entity, not inclusion listed in the glide.xml.entity.whitelist property, the ServiceNow AI Platform might block further processing.
    Security risk (Critical) An attacker can use the DTD to include arbitrary HTTP requests that the server might execute. This could lead to other attacks using the server's trust relationship with other entities.