Vulnerable JAR file found in extib on MID ServerIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This KB article is for when your security scanners find a potentially vulnerable .jar file within the agent\extlib folder of a MID Server install. JAR Files contain Java classes. The extlib folder is in the MID Server's class search paths. Therefore any jar files in that folder mean an additional Java Class will have been added to the MID Server application, that can be used by any ServiceNow, third party or custom Javascript scripts running in the MID Server. You need to be sure there are no Java classes, or 3rd party libraries, that have known vulnerabilities. For example, you may have an alert for this Oracle driver, but you could find literally anything, as we allow customer to add anything. File `C:\ServiceNow MID Test\agent\extlib\mysql-connector-java-5.1.44-bin.jar` version `5.1.44` is vulnerable to `CVE-2021-44531`, which exists in versions `<= 8.0.28`.The vulnerability was found in the [National Vulnerability Database (NVD)](https://nvd.nist.gov/vuln/detail/CVE-2021-44531) based on the CPE `cpe:2.3:a:oracle:mysql_connectors` with NVD severity: `High`.The file is associated with the technology `MySQL Connector/J`.The vulnerability can be remediated by updating `MySQL Connector/J` to `8.0.29` or higher. (Location Path: C:\ServiceNow MID Test\\agent\extlib\mysql-connector-java-5.1.44-bin.jar) Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Any. Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Every jar file in the 'extlib' folder of a MID Server will have been synchronised from attachments of the 'JAR Files' [ecc_agent_jar] table of the instance. That's the only way to add files to extlib, and manually adding them leads to them being automatically deleted again. Only a few main features require additional JAR Files: System Import Set JDBC Data Source Drivers. Only MySQL, Oracle and MSSql drivers are included out-of-box. Any others will have been added by customers.Credential Resolvers for External Credential Storage, such as CyberarkCustom JavaScript Probes in Integrations, implemented from custom scripts, Orchestration or Integration Hub flow actions. Plus maybe a few other OOTB features, such as joda-time.jar for Event Management Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } If the file is from a ServiceNow feature, and your instance is upgraded, then a 'Security Finding' will need opening. See the section on "How do I submit a security finding?":KB0953526 Customer Penetration Testing Program FAQ However most support cases turn out to be for files added by the customer for their own integrations. The JAR File record in the instance either needs to be either: Delete/Deactivate, if you know there are no longer any integrations or features that use the file. You will need to work out if you are still using the jar file first. For Import Sets, the 'Adding JDBC drivers for unsupported database formats' section of Docs: Import sets - Data sources - JDBC type data source explains how these drivers were originally added. If you have no Data Sources using the 'format' that uses the driver, then it isn't in use by an Import Set. Orchestration legacy workflow activities can also use JDBC drivers. Any activities will have the 'Format' set, like in Data Sources, corresponding to the database driver. Docs: Orchestration custom activity templates - Create a JDBC activity. Integration Hub steps would be set with a Custom 'Database Type'. Docs: Flows, subflows, and actions reference - Workflow Studio steps - JDBC step A check of MID Server Script Includes [ecc_agent_script_include] will confirm if any javascript probes are using the JAR file. Note: Manually deleting the files won't work, because they will be automatically added again by the instance. Upgraded, where the old attachment is replaces with a newer version of the file. You will need to confirm exactly what the JAR File is, from which Vendor, and what version. You can manually confirm the JAR file versions by unzipping the jar file. This example is for a jar file in the lib folder, but the same idea applies to all jar files including the ones in extlib. Note: JAR files are like ZIP files, and can be opened by e.g. 7-Zip. Once you know the vendor and name, you can then search the internet for more recent versions of the file. You will need to test that any integration using the java class still works on the new version. If not, that integration/import may need redesigning. Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } MID Server installs that have been Down for a long time, forgotten about, no longer listed in the instance, or backup install folders, may also get flagged up by scanners. This KB Article has tips on how to find those:KB1185167 Vulnerabilities (e.g. log4j/Java) found on a MID Server host, even after upgrading the Instance