Setting entity expansion threshold (instance security hardening)

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 1 minute to read

    • Use the glide.xmlutil.max_entity_expansion property to change the maximum entity expansion limit to a smaller number.

    The ServiceNow AI Platform doesn't process further entity expansions that are greater than the allowed limit specified in this property.
    Note:
    3000 is the default minimum imposed by the ServiceNow AI Platform, which is considered to be a safe threshold. Hence, platform considers this default minimum if the integer value you enter is below 3000.

    More information

    Attribute Description
    Property name glide.xmlutil.max_entity_expansion
    Configuration type System Properties (/sys_properties_list.do)
    Configure in Instance Security Center Yes
    Purpose This remediation control must be enabled to defend against XML Entity Expansion/Billion Laugh attack.
    Recommended value 3000
    Functional ImpactIf the customization is using large entity expansion, then, the ServiceNow AI Platform might block further processing.
    Security risk (High) An attacker can use this vulnerability to expand data exponentially, quickly consuming all system resources.

    To learn more about adding or creating a system property, see Add a system property.