Potential ServiceNow Vulnerability Investigation (KB1553688)
AdaCore uses the ServiceNow platform to implement our customer portal. On Tuesday October 17 we became aware of a potential ServiceNow vulnerability caused by insecure default configuration (servicenow-data-exposure). In response to this development, our Computer Security Incident Response Team (CSIRT) promptly launched an investigation to assess the impact on our instances and attempt to reproduce the exploit. Our conclusion was that only authenticated users could have successfully run the exploit. We contacted ServiceNow for advice while auditing our logs for the unlikely case of a customer trying to access other customers’ data.
In the meantime, ServiceNow made some public announcements and opened a case (KB1553688) that described the issue. The various ServiceNow messages published thereafter validated our initial assessment that only authenticated users could have compromised data confidentiality. At this stage, we audited the use of “Public” role on our instances. Our conclusion was that the only problematic widget was “Simple List”. In accordance with the details documented in KB1553688, the "Public" role access was promptly removed from this widget.
While the investigation established that only authenticated customers could potentially have misused this widget to access data belonging to other customers, we were able to conclude that the only access to this specific widget was initiated by us as a result of investigating this issue.
Consequently, no data breach or leakage occurred.
ServiceNow applied security updates on our instances and provided a set of recommendations on this matter that are aligned with what we are already doing - all our sensitive data is protected by proper Access Control Lists. We are confident that we are well protected against this kind of issue.
Document Control Information
|Title||Potential ServiceNow Vulnerability Investigation (KB1553688)|
|Authors||David Assamoi, Olivier Ramonat, Nicolas Roche|