General Information | Potential Public List Widget Misconfiguration1. Overview ServiceNow is aware of the recent publications describing a potential misconfiguration issue that could result in unintended access and is actively investigating the reports that we have observed in various online resources. The situation is still evolving, but we wanted to share our understanding of the issue and how to evaluate whether any additional configurations changes should be implemented for your instance. When using ServiceNow, customers use Access Control Lists (ACLs) to restrict access to tables and columns within the platforms.ServiceNow is a default deny system, so the absence of any ACL against a resource or its upstream hierarchy results in a denial of access.Individual ACLs, however, involve a three-part check where each “empty” check resolves to true.Customers can construct an ACL with an empty check for: RolesConditionsScript In the event that such an ACL is constructed, the underlying ACL system will allow any user, including the guest user, to access the resource in question.There is a further control built into the ServiceNow platform though, in that if a user is *not authenticated*, the system tightly controls the pages the user can read, and includes a narrow list of “allowed” pages like the login page. In the event a non-authenticated user were to attempt to access a resource outside of this allowed list, they would be redirected to the login page, or receive an access denied error.Customers with resources that support public portals, for example, Service Portal Widgets that are active and set to public, however, are an exception to that control in that they are, by design, accessible to non-authenticated users, and hence that control mechanism doesn’t apply, relying on the underlying ACL system to protect sensitive data.Within that portal exception, there is at least one specific portal widget, mentioned in the article, called SimpleListWidget, which allows the ad-hoc query of data from the system. That widget does respect the underlying ACL system, but is not otherwise restricted by the aforementioned authentication mechanism. Customers should evaluate their use of other public portal widgets with the same criteria.Customers should consider their ACL protocol configurations against the following criteria for a given instance: IF a table or column was configured with an ACL with no role, no condition and no scriptAND the instance has at least one public portal widgetTHEN this configuration could mean that the specific tables with the no roles ACLs can potentially be read via the widget in question 2. Remediation The simplest remediation step for customers to take is: Identify if they have configured any such ACLs within their instance.In the event they do in fact want unauthenticated users to be able to read that data, then no action is requiredOtherwise, they can update them to add the following line to the script section of the ACL gs.isLoggedIn() The above will ensure that unauthenticated users cannot read the tables in question via the SimpleListWidget or other public portal widgets More generally, ServiceNow recommends the following steps can be taken by customers to further secure their instance: Review Access Control Lists (ACLs) that either are entirely empty or, alternately, contain the role “Public” to determine whether that aligns with their specific business and security needs and if the underlying data should, in fact, be publicly accessible.Review public widgets and consider setting the “Public” flag to false if they do not align with their use cases. If you determine that external user access or mobile access to the instance is not needed, apply IP Address Access Control within the instance to limit access to only known, trusted IP Addresses. OR For more granular authentication control including the ability to enable mobile access while limiting access to IP ranges including subnets; apply Adaptive Authentication policies.Review Knowledge Base User Criteria definitions to validate that access to Knowledge Base content is granted according to your requirements. The following KB provides details on how to evaluate User Criteria: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1123580 Because the Explicit Roles plugin ensures that every ACL declares at least one role requirement, your instances using the Explicit Roles plugin are not affected by this issue. ServiceNow encourages customers with this plugin to review ACLs that contain the "public" role and evaluate their User Criteria configurations. The process for evaluating User Criteria is found here: KB1123580 3. Additional Resources Please refer to official guidance from ServiceNow through Now Support and public documentation, available at https://docs.servicenow.com, for guidance on addressing this issue. Reviewing Transaction Logs for Simple List Widget Activity: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1555166Developing Custom Widgets – https://docs.servicenow.com/csh?topicname=widget-dev-guide.htmlACLs – https://docs.servicenow.com/csh?topicname=access-control-rules.htmlIP Address Access Control – https://docs.servicenow.com/csh?topicname=t_AccessControl.htmlAdaptive Authentication – https://docs.servicenow.com/csh?topicname=adaptive-authentication.html <!-- .SOKMKBArticle div.margin { padding: 10px 40px 40px 30px; color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; } .SOKMKBArticle div.fed{ background-color: #f5f8fa; border: 1px solid; border-color: #bfbfbf; padding: 10px; } .SOKMKBArticle .FedRestricted{ background-color: #c00000; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .CustRestricted{ background-color: #ff0000; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .SNRestricted{ background-color: #ea700d; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .SNConfidential{ background-color: #ffc000; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle .Public{ background-color: #00b050; color: #ffffff; padding: 10px; margin-top: 10px; text-align: center; font-size: 14pt; font-weight: bold; } .SOKMKBArticle table.tocTable { border: 1px solid; border-color: #f2f2f2; background-color: #f2f2f2; padding-top: .6em; padding-bottom: .6em; padding-left: .9em; padding-right: .6em; } .SOKMKBArticle table.noteTable { align: left; border: none; border-color: #81b5a1; background-color: #f2f2f2; width: 100%; border-spacing: 2; font-size: 11px; } .SOKMKBArticle table.internalTable { border-top: 1px solid; border-left: 1px solid; border-color: #81b5a1; width: 100%; border-spacing: 1px; } .SOKMKBArticle .sp td { border-bottom: 1px solid; border-right: 1px solid; border-color: #81b5a1; background-color: #ffffff; height: 20px; padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; } .SOKMKBArticle .sphr td { border-right: 1px solid; border-bottom: 1px solid; border-color: #81b5a1; background-color: rgb(245, 245, 245); padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; height: 20px; } .SOKMKBArticle .sh td { border-bottom: 1px solid; border-right: 1px solid; border-color: #81b5a1; background-color: #81b5a1; color: #ffffff; height: 20px; padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; } .SOKMKBArticle th { padding-top: .5em; padding-bottom: .5em; padding-left: .5em; padding-right: .5em; border-bottom: 1px solid; border-right: 1px solid; border-color: #81b5a1; background-color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; color: #ffffff; height: 20px; } .SOKMKBArticle td { border-color: #81b5a1; margin: 5px 5px 5px 5px; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; color: #283d40; } .SOKMKBArticle p { color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; } .SOKMKBArticle li { color: #283d40; font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; font-size: 10pt; line-height: 1.5; } .SOKMKBArticle pre { font-family: Courier New; } .SOKMKBArticle div { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; } .SOKMKBArticle hr { border-top-width: 1px; border-top-style: solid; border-top-color: #81b5a1; } .SOKMKBArticle a { color: #81b5a1; } .SOKMKBArticle a.two:link { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #1F8476; border: 1px solid; border-color: #1F8476; } .SOKMKBArticle a.two:visited { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #1F8476; border: 1px solid; border-color: #1F8476; } .SOKMKBArticle a.two:hover { color: #ffffff; background-color: #259b8a; } .SOKMKBArticle .button { padding: 15px 45px 15px 45px; margin-top: 20px; color: #ffffff; text-align: center; background-color: #1F8476; border: 1px solid; border-color: #1F8476; } .SOKMKBArticle .title { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #81b5a1; font-size: 30pt; } .SOKMKBArticle .hd1 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-size: 20pt; border-bottom: 1px solid; border-bottom-color: #81b5a1; text-decoration: none; } .SOKMKBArticle h1 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-size: 20pt; font-weight: normal; border-bottom: 1px solid; border-bottom-color: #81b5a1; text-decoration: none; } .SOKMKBArticle .hd2 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #68a1af; font-weight: bold; font-size: 16pt; text-decoration: none; } .SOKMKBArticle h2 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #68a1af; font-weight: bold; font-size: 16pt; font-weight: normal; text-decoration: none; } .SOKMKBArticle .hd3 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 14pt; text-decoration: none; } .SOKMKBArticle h3 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 14pt; text-decoration: none; } .SOKMKBArticle .hd4 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 12pt; text-decoration: none; } .SOKMKBArticle h4 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 12pt; text-decoration: none; } .SOKMKBArticle .hd5 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: bold; font-size: 10pt; text-decoration: bold; } .SOKMKBArticle h5 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: bold; font-size: 10pt; text-decoration: bold; } .SOKMKBArticle .hd6 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 10pt; text-decoration: underline; } .SOKMKBArticle h6 { font-family: Century Gothic, Verdana, Helvetica, Arial, sans-serif; color: #283d40; font-weight: normal; font-size: 10pt; text-decoration: underline; } .SOKMKBArticle details { font-size: 10pt; } .SOKMKBArticle details[open] summary ~ * { animation: sweep .5s; margin-top: 0; padding-top: 10px; } @keyframes sweep { 0% {opacity: 0; margin-top: -10px} 100% {opacity: 1; margin-top: 0px} } .SOKMKBArticle summary { cursor: pointer; outline: none; margin-bottom: 3px; } .SOKMKBArticle .summary { background-color: #81b5a1; font-size: 10px; color: white; cursor: pointer; padding: 5px; width: 100%; border: none; text-align: left; outline: none; vertical-align: top; } -->