ServiceNow, a cloud-based IT service management platform, recently disclosed and fixed an Access Control List (ACL) bypass vulnerability in its core functionality. This vulnerability, registered as CVE-2022-43684, could potentially allow authenticated users to gain access to sensitive information from tables that lack proper authorization controls. In this post, we'll cover the details of the vulnerability, affected ServiceNow releases, and how to apply patches and upgrades to mitigate this issue.

* Utah prior to Utah General Availability

Organizations utilizing these ServiceNow releases should immediately apply patches and upgrades to protect sensitive information from unauthorized users.

Exploit Details

The vulnerability exists in the ServiceNow core functionality, and affected instances may miss essential Access Control List (ACL) rules. As a result, authenticated users can bypass the authorization system and access sensitive tables.

For example, an attacker with a valid ServiceNow user account can exploit this issue to gain unauthorized access to sensitive table data.

// Example exploit using ServiceNow JavaScript API
var gr = new GlideRecord('some_protected_table');
gr.query();
while(gr.next()) {
  // Access the sensitive table records
}

This vulnerability highlights the importance of properly implementing ACLs to protect sensitive data in ServiceNow instances.

Mitigation and Patching

ServiceNow has released patches and upgrades to address this vulnerability in all affected releases. To apply these patches, follow the steps below:

Identify the ServiceNow release you're using.

2. Download the appropriate patch or upgrade from the ServiceNow Patches and Upgrades page.

Apply the patch or upgrade as per the provided documentation.

For example, if you're using ServiceNow Rome, you should upgrade to Rome Patch 10 Hot Fix 1 to remediate the ACL bypass vulnerability.

Please refer to the original ServiceNow Security Advisory for more information on CVE-2022-43684 and other vulnerabilities affecting ServiceNow products.

Conclusion

CVE-2022-43684 highlights the importance of proper access control and securing sensitive data in ServiceNow instances. It's critical for organizations using the affected ServiceNow releases to apply the patches and upgrades immediately to mitigate the risk of unauthorized access to sensitive information. Moreover, ServiceNow administrators should periodically review and audit ACLs in their instances to ensure the security of the organization's data.

Timeline

Published on: 06/13/2023 19:15:00 UTC
Last modified on: 07/11/2023 18:15:00 UTC