Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3]

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • If customizations do not require entity expansion, use the glide.xmlutil.max_entity_expansion property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

    • If you set this property to true, all external entities attempt to resolve or expand subject entities, subject to the setting of the glide.stax.whitelist_enabled property.
    • If you set that property to false, all entity resolution and expansion is blocked. To learn more, see XMLdoc2 entity validation with allow list.

    Prerequisites

    Before setting this property:
    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Property name glide.stax.whitelist_enabled
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose This remediation control must be enabled to defend against an XML Entity Expansion/Billion Laugh attack.
    Recommended value true
    Default value false
    Security risk rating 9.8
    Functional ImpactIf the customization is using entity expansion, then, the ServiceNow AI Platform might block further processing.
    Security risk (Critical) An attacker can use this vulnerability to expand data exponentially, quickly consuming all system resources.
    Workaround If the customization requires entity expansion, set this property to true and follow the steps documented in XMLdoc2 entity validation with allow list.

    To learn more about adding or creating a system property, see Add a system property.

    For more information about OWASp resources, see OWASp.