XML parsers can be exploited using the "Billion Laughs" attack, a type of XML entity expansion attack that consumes excessive system resources, leading to crashes and denial of service. Without a limit on entity expansion, attackers can overload the system. Setting a reasonable threshold prevents this attack and ensures system stability.
Resolution Steps
Go to the sys_properties table by entering sys_properties.list in the navigation filter of your ServiceNow instance.
Add or update the property glide.xmlutil.max_entity_expansion and set it to 3000
Setting a limit on XML entity expansion prevents denial-of-service attacks and protects system stability. By enforcing glide.xmlutil.max_entity_expansion = 3000, organizations can mitigate the risk of resource exhaustion.
For more detailed guidance on resolving this issue, please contact us at support@dt-advisory.ch.