Calming Unwarranted Fears Around ServiceNow Security

Recent articles may have raised some concerns over a vulnerability with an out-of-box ServiceNow widget that could result in unintended data access. However, these concerns seem overstated. For one, it's important to note this research is centric to all cloud platforms, not just ServiceNow. And, secondly, the issue was proactively addressed by ServiceNow back in May 2023 - 5 months prior to the articles being published. While we don't anticipate any significant risk, we have provided some additional information and recommendations below to assure you that your company data remains safe and secure on the ServiceNow platform.

What’s at risk?

Any data that is housed on a table where the 'public' role has been given read permissions may be accessible to unauthorized users.

What's been done so far?

ServiceNow performed proactive maintenance on customer instances back in May 2023. This maintenance adjusted the behaviour of the "Simple List Widget" to prevent unauthorised access to certain data. The fix is available in Tokyo Patch 8 & 7a, Utah Patch 1a & 2, San Diego Patch 10 Hot Fix 1a (and above). Note: customised or cloned widgets were not fixed. Read the full Knowledge article (KB1279323) here.

What can you do?

If you suspect you are using a cloned or customised "Simple List Widget" or would like to simply review your instance to rule out a potential vulnerability, we recommend you perform the following activities:

• Use our complimentary Instance Analyser - in 15 minutes, you will have a clear output on whether you have a vulnerability risk related to the "Simple List Widget" misconfiguration. Run a quick review using the “Avoid Public Widget List” and “Avoid Empty Access Control” rules from our Best Practice Analysis. You do not need to run and wait for an entire Best Practice Analysis review to detect these potential risk items. Be sure your Best Practice Analysis Content Pack is updated to version 1.4 to receive these two new rules. Learn more about Instance Analyzer. 
• If not already installed, install the Explicit Roles plugin. This plugin will update any OOB Access Controls that don't have a role requirement thus closing any path to public access. Note: The plugin will not update any Custom or Modified ACL. Read more here.
• Check your “public” roles and adjust role status accordingly based on business needs and requirements.

Moving forward

ServiceNow diligently monitors threats and acts swiftly to protect customers - as do we. As your ServiceNow platform advisor, we will continue to share information that empowers you to utilise ServiceNow securely. In the meantime, by taking the steps shared above, you can be assured that your instance is safe from unauthorised access.