XML External Entity (XXE) attacks pose a significant security risk in applications that process XML data. Without adequate protection, attackers can exploit Document Type Definitions (DTDs) to perform unauthorized actions, such as sending arbitrary HTTP requests or accessing sensitive data. Implementing XXE protection is crucial for safeguarding your ServiceNow environment against such vulnerabilities.
Resolution Steps:
Ensure Necessary System Properties Exist and Are Configured:
Verify if the system property glide.xml.entity.whitelist.enabled exists. If not, create it by navigating to System Properties > New and set it to true to enable XXE protection.
Confirm the setting of glide.stax.whitelist_enabled to true as it governs the processing of external entities using XMLDocument2.
Configure the Whitelist of Allowed XML Entities:
Review the current value of glide.xml.entity.whitelist, which by default may contain http://java.sun.com/j2ee/dtds/.
Determine the external entities necessary for your business requirements. Add URLs as comma-separated values to this property. Be cautious with the entities you allow to ensure they are from trusted sources.
Testing and Validation:
After making changes, test XML processing functionalities in your environment to ensure no legitimate processes are affected.
Monitor system logs for any unusual activities or errors that might suggest misconfigurations or attempted XXE exploits.
Enabling XXE protection in your ServiceNow environment is a key security measure that prevents attackers from exploiting XML processing vulnerabilities. By restricting XML external entities, you can protect sensitive data and maintain the integrity and security of your system operations.
For more detailed guidance on resolving this issue, please contact us at support@dt-advisory.ch.