Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3]

  • Release version: Yokohama
  • Updated May 29, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3]

    This update addresses XML external entity (XXE) vulnerabilities in ServiceNow by managing how XML entity expansion is handled during parsing. Improper handling can lead to exponential data expansion attacks that exhaust system resources. The key controls involve system properties that enable or disable entity expansion and restrict allowed external entities via an allowlist.

    Show full answer Show less

    Key Features

    • Disabling Entity Expansion: Use the glide.xmlutil.maxentityexpansion or glide.stax.allowentityresolution properties to completely disable internal and external XML entity expansion if your customizations do not require it. This prevents entity expansion attacks by excluding entities from parsing.
    • Allowlist Enforcement: The glide.stax.whitelistenabled property must be set to true to enforce an allowlist of permitted external entity URLs defined in glide.xml.entity.whitelist. This restricts XML entity resolution only to trusted, fully qualified domain names (FQDNs).
    • Safe Harbor Property: The glide.stax.whitelistenabled property is non-revertible once set, emphasizing the need to carefully plan before enabling it.

    Practical Guidance for ServiceNow Customers

    • Default Settings: By default, glide.stax.whitelistenabled is false, allowing resolution of all external entities if glide.stax.allowentityresolution is true.
    • Recommended Configuration: For enhanced security, set glide.stax.whitelistenabled to true and specify allowed URLs in glide.xml.entity.whitelist. Disable entity expansion via glide.stax.allowentityresolution if not required.
    • Impact on Customizations: If your customizations rely on entity expansion, enabling these security controls might block some XML processing. Adjust allowlists accordingly.
    • Security Risk: Without these settings, your instance is vulnerable to XXE attacks that can consume all system resources.
    • Implementation Steps:
      • Enable glide.stax.whitelistenabled and glide.xml.entity.whitelist.enabled properties.
      • Define trusted external entity URLs in glide.xml.entity.whitelist.
      • Set glide.stax.allowentityresolution to false to disable expansion or true to enable with restrictions.
      • Refer to the "Restrict XML external entities" guidance for detailed configuration.

    Key Outcomes

    • Mitigation of XML External Entity (XXE) attacks by controlling entity expansion and restricting allowed external entities.
    • Improved security posture with minimal impact on customizations if configured properly.
    • Protection against denial of service from resource exhaustion caused by malicious XML inputs.

    If customizations do not require entity expansion, use the glide.xmlutil.max_entity_expansion property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

    If the glide property glide.stax.whitelist_enabled doesn't exist in the System Properties [sys_properties] table, or is not set to the recommended value of true, then all external entities are allowed when the glide property glide.stax.allow_entity_resolution is set to the value of true.

    If customizations don't require entity expansion, use the glide.stax.allow_entity_resolution property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

    When glide.stax.whitelist_enabled is set to true, define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which are the only URLs that can be reached using the XML entity processing property. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0]. Attackers can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources.

    Prerequisites

    Before setting this property:
    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Property name glide.stax.whitelist_enabled
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose This remediation control must be enabled to defend against an XML Entity Expansion/Billion Laugh attack.
    Recommended value true
    Default value false
    Security risk rating 9.8
    Functional impact If the customization is using entity expansion, then, the ServiceNow AI Platform might block further processing.
    Security risk An attacker can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources.
    Workaround If the customization requires entity expansion, set this property to true and follow the steps documented in Restrict XML external entities [Updated in Security Center 1.3 and 2.0].

    To learn more about adding or creating a system property, see Add a system property.

    For more information about OWASp resources, see OWASp.