Updated:
Status:
CVEs:
Fortra is actively investigating a vulnerability in the ServiceNow Vancouver and Washington, D.C. Now Platform releases. This vulnerability, CVE-2024-4879, could enable an unauthenticated user to remotely execute code within the Now Platform. ServiceNow has released an update, patches, and hot fixes to address this vulnerability.
Who is affected?
ServiceNow has not released a detailed list of vulnerable versions. Alert Logic recommends assuming you are vulnerable if you are on the Utah, Vancouver, or Washington release and not using one of the patched versions listed below.
What can I do?
ServiceNow has proactively updated hosted instances and released updates to partners and self-hosted customers. Customers are recommended to apply the relevant security patches as soon as possible.
| Release | Fixed Versions |
|---|---|
| Utah | Utah Patch 10 Hot Fix 3 Utah Patch 10a Hot Fix 2 |
| Vancouver | Vancouver Patch 6 Hot Fix 2 Vancouver Patch 7 Hot Fix 3b Vancouver Patch 8 Hot Fix 4 Vancouver Patch 9 Vancouver Patch 10 |
| Washington | Washington DC Patch 1 Hot Fix 2b Washington DC Patch 2 Hot Fix 2 Washington DC Patch 3 Hot Fix 1 Washington DC Patch 4 |
Additional updates may become available. Refer to ServiceNow's advisory for the latest patch information.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities. The following detection is currently available.
Alert Logic Network IDS: Alert Logic released IDS telemetry signatures to capture publicly reported PoC activity relating to template injection attempts.
Alert Logic Vulnerability Scanning: Alert Logic released unauthenticated scan coverage on July 15, 2024. If the vulnerability is found, an exposure (EID: 272341) will be raised for CVE-2024-4879.
FortraVM: FortraVM released unauthenticated scan coverage on August 21, 2024, via scanner version 4.49.0. If the vulnerability is found, vulnerability 160456 "ServiceNow UI Macros Jelly Template Injection Vulnerability" will be raised.
Tripwire IP360: Tripwire released remote and authenticated scan coverage July 31, 2024, to identify vulnerable instances. If the vulnerability is found, Tripwire vulnerability 648288 will match for CVE-2024-4879.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
07/15/2024: Alert Logic released unauthenticated scan coverage to identify vulnerable instances.
07/31/2024: Tripwire released remote and authenticated scan coverage to identify vulnerable instances.
08/21/2024: Alert Logic released IDS telemetry signatures, and FortraVM released unauthenticated scan coverage.
