[Security Advisory] CVE-2021-45901 – Local Account Password Reset Username Enumeration ServiceNow Posture February, 2022 ServiceNow is aware of the recently published CVE filed for the Now Platform, associated to the ability to use password reset functionality to enumerate usernames. This behavior can be prevented by enabling CAPTCHA as part of the Password Reset process. Customers on all supported versions of the Now Platform can enable the CAPTCHA functionality by toggling "Display captcha" while configuring the Password Reset Process. Further details regarding this process are available here: https://docs.servicenow.com/csh?topicname=t_CreateAPasswordResetProcess.html Please note, the ability to enable the "Display captcha" field has existed across multiple family releases, including Orlando. As of the Rome family release, ServiceNow has enabled "Display captcha" by default for new instances. If you have upgraded from a previous version to Rome (or newer), this field will not be set automatically and will need to be manually reviewed and enabled, as necessary. Best practice is to set the "Display captcha" field for any active Password Reset process configured for "Public access." Further, if alternative authentication methods (e.g., SSO) are used, please review active Password Reset processes. Associated CVE(s): CVE-2021-45901 Additional Resources ServiceNow does not endorse or share the views, positions, or claims expressed by any of the following links. They are provided solely as supplementary material. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/servicenow-username-enumeration-vulnerability-cve-2021-45901/