Upgrading ACC Agent installs is necessary to get bug and security fixes for Ruby/RubyGems/OpenSSL Table of Contents IntroductionManifest versions agent-client-collector 3.5.3agent-client-collector 4.0.0agent-client-collector 4.1.1 The RubyGems, and their versions agent-client-collector 3.5.3agent-client-collector 4.0.0agent-client-collector 4.1.1 A note on false positives from security scanners Introduction Unlike MID Servers, when the Agent Client Collector Framework app in the instance is upgraded, the Agent installs remain on the version they were installed with. The checks, and the ACC Plugins containing the scripts their commands use do get upgraded, and pushed to all the Agents, but the Agent's binaries don't get upgraded. The Self-Upgrade feature isn't designed for mass deployments of upgrades. Customers are expected to use their own provisioning/automation tools to reinstall or upgrade the Agent software on computers. Tech support has realised that some customers have been (mis)led to believe they don't need to upgrade agent installs, or have decided it's too much trouble to bother with. This KB aims to convince (frighten) customers into doing this every time the ACC-F app in the instance is upgraded. The reason they should be maintained is that there are a lot of 3rd party helper applications and libraries in an Agent install. Like any software, these may have bugs and occasionally security vulnerabilities that need patching. Some may affect the Check commands used by ACC features. ServiceNow's release testing is also generally done with Agent installs that match the version of the app in the instance. And higher level apps will be tested with the latest Framework version and installs. This is not intended to be a comprehensive list of changes, but just to highlight the kind of changes that are done between versions, using ACC-F 3.5.3 as a baseline, and the changes in 4.0.0, and then 4.1.1 installers. A couple of noteworthy upgrades are in bold, which your security scanners may already have made you aware of. The unused RubyGems stripped out of v4.1 was also a proactive security measure to avoid having code that may in future turn out to have vulnerabilities. Manifest versions C:\Program Files\ServiceNow\agent-client-collector\version-manifest.txt Upgraded in Green agent-client-collector 3.5.3 Component Installed Version Version GUID Overridden From -----------------------------------------------------------------------------------------------------------------------------------cacerts 2018-01-17 sha256:defe310a0184a12e4b1b3d147f1d77395dd7a09e3428373d019bef5d542ceba3 config_guess master git:84f04b02a7e2fc8eaa9d52deee5f6d57b06fe447 libffi 3.4.4 sha256:d66c56ad259a82cf2a9dfc408b32bf5da52371500b84745f7fb8b645712df676 libyaml 0.2.5 sha256:c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4 openssl 1.0.2zg sha256:09f8372eaede77ec8e6945e2d2d8eeb1b91662980cf23fe95f627b377162296c preparation 1.0.0 rb-readline-gem 0.5.5 ruby 3.2.2 sha256:96c57558871a6748de5bc9f274e93f4b5aad06cd8f37befa0e8d94e7b8a423bc rubygems 3.5.3 sensu-gem 3.5.3 0.26.1 shebang-cleanup 0.0.3 version-manifest 0.0.1 zlib 1.2.13 sha256:b3a24de97a8fdbc835b9833169501030b8977031bcb54b3b3ac13740f846ab30 agent-client-collector 4.0.0 Component Installed Version Version GUID Overridden From -----------------------------------------------------------------------------------------------------------------------------------cacerts 2018-01-17 sha256:defe310a0184a12e4b1b3d147f1d77395dd7a09e3428373d019bef5d542ceba3 config_guess master git:84f04b02a7e2fc8eaa9d52deee5f6d57b06fe447 libffi 3.4.4 sha256:d66c56ad259a82cf2a9dfc408b32bf5da52371500b84745f7fb8b645712df676 libyaml 0.2.5 sha256:c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4 openssl 1.0.2zg sha256:09f8372eaede77ec8e6945e2d2d8eeb1b91662980cf23fe95f627b377162296c preparation 1.0.0 rb-readline-gem 0.5.5 ruby 3.3.2 sha256:3be1d100ebf2a0ce60c2cd8d22cd9db4d64b3e04a1943be2c4ff7b520f2bcb5b rubygems 4.0.0 sensu-gem 4.0.0 0.26.1 shebang-cleanup 0.0.3 version-manifest 0.0.1 zlib 1.2.13 sha256:b3a24de97a8fdbc835b9833169501030b8977031bcb54b3b3ac13740f846ab30 agent-client-collector 4.1.1 Component Installed Version Version GUID Overridden From -----------------------------------------------------------------------------------------------------------------------------------cacerts 2018-01-17 sha256:defe310a0184a12e4b1b3d147f1d77395dd7a09e3428373d019bef5d542ceba3 config_guess master git:84f04b02a7e2fc8eaa9d52deee5f6d57b06fe447 libffi 3.4.4 sha256:d66c56ad259a82cf2a9dfc408b32bf5da52371500b84745f7fb8b645712df676 libyaml 0.2.5 sha256:c642ae9b75fee120b2d96c712538bd2cf283228d2337df2cf2988e3c02678ef4 openssl 3.3.2 sha256:2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281 preparation 1.0.0 rb-readline-gem 0.5.5 ruby 3.3.2 sha256:3be1d100ebf2a0ce60c2cd8d22cd9db4d64b3e04a1943be2c4ff7b520f2bcb5b rubygems 4.1.1 sensu-gem 4.1.1 0.26.1 shebang-cleanup 0.0.3 version-manifest 0.0.1 zlib 1.2.13 sha256:b3a24de97a8fdbc835b9833169501030b8977031bcb54b3b3ac13740f846ab30 The RubyGems, and their versions Note: The following lists are for Windows Installs. Folder name/version for Linux installs can be found in /usr/share/servicenow/agent-client-collector/embedded/lib/ruby/gems/3.3.0/gems/. agent-client-collector 3.5.3 C:\Program Files\ServiceNow\agent-client-collector\embedded\lib\ruby\gems\3.2.0\gems Key:Removed in 4.0.0 activesupport-7.0.8addressable-2.8.6amq-protocol-2.0.1bundler-2.3.3bundler-2.4.10bunny-2.6.4carrot-top-0.0.7concurrent-ruby-1.2.3debug-1.7.1domain_name-0.6.20240107erb-4.0.2ffi-1.16.3ffi-compiler-1.3.2ffi-win32-extensions-1.0.4http-5.2.0http-cookie-1.0.5http-form_data-2.3.0i18n-1.14.4inifile-3.0.0irb-1.6.2json-2.3.0json-2.7.2jsonpath-1.1.5kubeclient-4.11.0llhttp-ffi-0.5.0matrix-0.4.2mime-types-3.5.2mime-types-data-3.2024.0305minitest-5.16.3mixlib-cli-1.7.0multi_json-1.15.0net-ftp-0.2.0net-imap-0.3.4net-pop-0.1.2net-smtp-0.3.3netrc-0.11.0power_assert-2.0.3prime-0.1.2public_suffix-5.0.5racc-1.6.2rake-13.0.6rake-13.2.1rb-readline-0.5.5rbs-2.8.2rdoc-6.5.0recursive-open-struct-1.1.3rest-client-2.0.2-x64-mingw32rexml-3.2.5rss-0.2.9rubygems-update-3.3.3ruby_dig-0.0.2sensu-plugin-4.0.0sensu-plugins-kubernetes-5.0.2sensu-plugins-logs-4.1.1sensu-plugins-rabbitmq-8.1.0sensu-sn-readfile-1.1.3stomp-1.4.7sys-filesystem-1.3.4sys-proctable-1.3.0test-unit-3.5.7typeprof-0.21.3tzinfo-2.0.6win32-security-0.5.0 agent-client-collector 4.0.0 Key:Upgraded in 4.0.0 Removed in 4.1.1 C:\Program Files\ServiceNow\agent-client-collector\embedded\lib\ruby\gems\3.3.0\gems\ activesupport-7.0.8addressable-2.8.7amq-protocol-2.0.1bundler-2.5.9bunny-2.6.4carrot-top-0.0.7concurrent-ruby-1.3.3debug-1.9.1domain_name-0.6.20240107erb-4.0.3ffi-1.17.0ffi-compiler-1.3.2ffi-win32-extensions-1.0.4http-5.2.0http-cookie-1.0.6http-form_data-2.3.0i18n-1.14.5inifile-3.0.0irb-1.13.1json-2.7.1jsonpath-1.1.5kubeclient-4.12.0llhttp-ffi-0.5.0matrix-0.4.2mime-types-3.5.2mime-types-data-3.2024.0702minitest-5.20.0mixlib-cli-1.7.0multi_json-1.15.0net-ftp-0.3.4net-imap-0.4.9.1net-pop-0.1.2net-smtp-0.4.0.1netrc-0.11.0power_assert-2.0.3prime-0.1.2public_suffix-6.0.0racc-1.7.3rake-13.1.0rb-readline-0.5.5rbs-3.4.0rdoc-6.6.3.1recursive-open-struct-1.2.2rest-client-2.0.2-x64-mingw32rexml-3.2.8rss-0.3.0ruby_dig-0.0.2sensu-plugin-4.0.0sensu-plugins-kubernetes-5.0.2sensu-plugins-rabbitmq-8.1.0sensu-sn-readfile-1.1.3stomp-1.4.7strscan-3.1.0syntax_suggest-2.0.0sys-filesystem-1.3.4sys-proctable-1.3.0test-unit-3.6.1typeprof-0.21.9tzinfo-2.0.6win32-security-0.5.0 agent-client-collector 4.1.1 Key:Upgraded in 4.1.1 C:\Program Files\ServiceNow\agent-client-collector\embedded\lib\ruby\gems\3.3.0\gems\ addressable-2.8.6bundler-2.5.9debug-1.9.1erb-4.0.3ffi-1.17.0ffi-compiler-1.3.2ffi-win32-extensions-1.0.4irb-1.13.1json-2.7.1llhttp-ffi-0.5.0matrix-0.4.2minitest-5.20.0mixlib-cli-1.7.0net-ftp-0.3.4net-imap-0.4.9.1net-pop-0.1.2net-smtp-0.4.0.1power_assert-2.0.3prime-0.1.2public_suffix-5.1.1racc-1.7.3rake-13.1.0rb-readline-0.5.5rbs-3.4.0rdoc-6.6.3.1rexml-3.3.7rss-0.3.0sensu-plugin-4.0.0sensu-sn-readfile-1.1.3syntax_suggest-2.0.0test-unit-3.6.1typeprof-0.21.9win32-security-0.5.0 A note on false positives from security scanners Tech support have found that customers' security scanners are regularly flagging alerts for Ruby Gems, that turn out to be false positives, often because the scanner seems not to be taking our Ruby version into account, or is perhaps not able to see the gem version. For example, ACC-F 4.2.1 installs have been wrongly flagged up for these below and others, which ACC is not vulnerable to. Please try to avoid opening Support Cases or Security Findings with ServiceNow without verifying your scanner results first. CVE-2024-27281Rubygems (Rubygems) Security Update for rdoc https://nvd.nist.gov/vuln/detail/cve-2024-27281"An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. ... The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1."ACC-F 4.2.1 uses ruby 3.3.2 with rdoc-6.6.3.1, so is not vulnerable.CVE-2024-49761 Rubygems (Rubygems) Security Update for rexmlhttps://nvd.nist.gov/vuln/detail/CVE-2024-49761"This does not happen with Ruby 3.2 or later."ACC-F 4.2.1 uses Ruby 3.3.2, so is not vulnerable.CVE-2024-43398 Rubygems (Rubygems) Security Update for rexml https://nvd.nist.gov/vuln/detail/cve-2024-43398"The REXML gem 3.3.6 or later include the patch to fix the vulnerability."ACC-F 4.2.1 uses rexml-3.3.7, so is not vulnerable.CVE-2024-41946Rubygems (Rubygems) Security Update for rexml (GHSA-5866-49gr-22v4) https://nvd.nist.gov/vuln/detail/cve-2024-41946"The REXML gem 3.3.3 or later include the patch to fix the vulnerability."ACC-F 4.2.1 uses rexml-3.3.7, so is not vulnerable.CVE-2024-41123 Rubygems (Rubygems) Security Update for rexmlhttps://nvd.nist.gov/vuln/detail/cve-2024-41123"The REXML gem before 3.3.2 has some DoS vulnerabilities ... The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities."ACC-F 4.2.1 uses rexml-3.3.7, so is not vulnerable.CVE-2024-39908 Rubygems (Rubygems) Security Update for rexml https://nvd.nist.gov/vuln/detail/cve-2024-39908"The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities."ACC-F 4.2.1 uses rexml-3.3.7, so is not vulnerable.CVE-2024-35176 Rubygems (Rubygems) Security Update for rexmlhttps://nvd.nist.gov/vuln/detail/cve-2024-35176"The REXML gem 3.2.7 or later include the patch to fix this vulnerability"ACC-F 4.2.1 uses rexml-3.3.7, so is not vulnerable.CVE-2016-7954 Rubygems (Rubygems) Security Update for bundler https://nvd.nist.gov/vuln/detail/CVE-2016-7954"Bundler 1.x might allow remote attackers to inject arbitrary Ruby code into an application by leveraging a gem name collision on a secondary source. NOTE: this might overlap CVE-2013-0334."ACC-F 4.2.1 uses bundler-2.5.9, so is not vulnerable.CVE-2019-3881 Rubygems (Rubygems) Security Update for bundler https://nvd.nist.gov/vuln/detail/CVE-2019-3881"Bundler prior to 2.1.0 uses a predictable path in /tmp/,..."ACC-F 4.2.1 uses bundler-2.5.9, so is not vulnerable.CVE-2020-8130 Rubygems (Rubygems) Security Update for rakehttps://nvd.nist.gov/vuln/detail/CVE-2020-8130"There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList ..."ACC-F 4.2.1 uses rake-13.1.0, so is not vulnerable.CVE-2021-43809 Rubygems (Rubygems) Security Update for bundlerhttps://nvd.nist.gov/vuln/detail/CVE-2021-43809"In `bundler` versions before 2.2.33..."ACC-F 4.2.1 uses bundler-2.5.9, so is not vulnerable.CVE-2020-36327 Rubygems (Rubygems) Security Update for bundlerhttps://nvd.nist.gov/vuln/detail/CVE-2021-24105"Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number"ACC-F 4.2.1 uses bundler-2.5.9, so is not vulnerable.