¡¾·ì϶¹«¸æ¡¿ServiceNow JellyÄ£°å×¢Èë·ì϶£¨CVE-2024-4879£©

°ä²¼¹¦·ò 2024-07-12

 

Ò»¡¢·ì϶¸ÅÊö

·ìϼûû³Æ

ServiceNow JellyÄ£°å×¢Èë·ì϶

CVE   ID

CVE-2024-4879

·ì϶ÀàÐÍ

×¢Èë

·¢ÏÖ¹¦·ò

2024-07-04

·ì϶ÆÀ·Ö

9.3

·ì϶µÈ¼¶

¸ßΣ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

ÎÞ

ÀûÓÃÄѶÈ

µÍ

Óû§½»»¥

ÎÞ

PoC/EXP

Òѹ«¿ª

ÔÚÒ°ÀûÓÃ

δ·¢ÏÖ

 

ServiceNowÊÇÒ»ÖÖ»ùÓÚÔÆÍÆËãµÄÆóÒµ·þÎñÖÎÀí£¨ESM£©Æ½Ì¨ £¬ËüÌṩÁËÒ»Ì×È«ÃæµÄ½â¾ö¹æ»® £¬ÓÃÓÚÖÎÀíºÍ×Ô¶¯»¯ÆóÒµµÄ·þÎñºÍÔËÓª¡£

2024Äê7ÔÂ12ÈÕ £¬GA»Æ½ð¼×¼¯ÍÅVSRC¼à²âµ½ServiceNowÖн¨¸´Á˶à¸ö·ì϶ £¬Ä¿Ç°ÕâЩ·ì϶µÄϸ½Ú¼°PoCÒѹ«¿ª £¬ÏêÇéÈçÏ£º

CVE-2024-4879 £ºServiceNow JellyÄ£°å×¢Èë·ì϶

ServiceNow UIºêÖдæÔÚJellyÄ£°å×¢Èë·ì϶ £¬Î´¾­Éí·ÝÑéÖ¤µÄÍþвÕß¿ÉÀûÓø÷ì϶עÈë¶ñÒâ´úÂë £¬´Ó¶øÈƹý°²È«½ÚÔì¡¢ÇÔÈ¡Ãô¸ÐÐÅÏ¢»òµ¼ÖÂÔ¶³ÌÖ´ÐдúÂë £¬¸Ã·ì϶µÄCVSSÆÀ·ÖΪ9.3¡£

CVE-2024-5217£ºServiceNow Glide±í°×ʽעÈë·ì϶

ÓÉÓÚ GlideExpressionScript ÀàÖжÔÓû§ÊäÈë¹ýÂ˲»µ± £¬Î´¾­Éí·ÝÑéÖ¤µÄÍþвÕß¿Éͨ¹ý/login.do½Ó¿ÚµÄjvar_page_title²ÎÊý´«µÝ¶ñÒâÄÚÈݵ¼ÖÂÔ¶³Ì´úÂëÖ´ÐÐ £¬¸Ã·ì϶µÄCVSSÆÀ·ÖΪ9.2¡£

CVE-2024-5178£ºServiceNowÎļþ¶ÁÊØÐÅϢй¶·ì϶

ÓÉÓÚSecurelyAccess API ÖдæÔÚÊäÈëÑéÖ¤²»ÃÀÂú £¬¿ÉÄܵ¼ÖÂÖÎÀíÓû§Î´¾­ÊÚȨ½Ó¼û Web ÀûÓ÷¨Ê½·þÎñÆ÷ÉϵÄÃô¸ÐÎļþ £¬Ôì³ÉÐÅϢй¶ £¬¸Ã·ì϶µÄCVSSÆÀ·ÖΪ6.9¡£


¶þ¡¢·ì϶¸´ÏÖ

¡¾·ì϶¸´ÏÖ¡¿ServiceNow JellyÄ£°å×¢Èë·ì϶£¨CVE-2024-4879£©.jpg


 

Èý¡¢Ó°ÏìÁìÓò

CVE

ÊÜÓ°ÏìServiceNow°æ±¾

½¨¸´°æ±¾

CVE-2024-4879

ServiceNow   < Utah Patch 10 Hot Fix 3

ServiceNow   < Utah Patch 10a Hot Fix 2

Utah Patch   10 Hot Fix 3

Utah Patch   10a Hot Fix 2

ServiceNow   < Vancouver Patch 6 Hot Fix 2

ServiceNow   < Vancouver Patch 7 Hot Fix 3b

ServiceNow   < Vancouver Patch 8 Hot Fix 4

ServiceNow   < Vancouver Patch 9

ServiceNow   < Vancouver Patch 10

Vancouver   Patch 6 Hot Fix 2

Vancouver   Patch 7 Hot Fix 3b

Vancouver   Patch 8 Hot Fix 4

Vancouver   Patch 9

Vancouver   Patch 10

ServiceNow   < Washington DC Patch 1 Hot Fix 2b

ServiceNow   < Washington DC Patch 2 Hot Fix 2

ServiceNow   < Washington DC Patch 3 Hot Fix 1

ServiceNow   < Washington DC Patch 4

Washington   DC Patch 1 Hot Fix 2b

Washington   DC Patch 2 Hot Fix 2

Washington   DC Patch 3 Hot Fix 1

Washington   DC Patch 4

CVE-2024-5217

ServiceNow   < Utah Patch 10 Hot Fix 3

ServiceNow   < Utah Patch 10a Hot Fix 2

ServiceNow   < Utah Patch 10b Hot Fix 1

Utah Patch   10 Hot Fix 3

Utah Patch   10a Hot Fix 2

Utah Patch   10b Hot Fix 1

ServiceNow   < Vancouver Patch 6 Hot Fix 2

ServiceNow   < Vancouver Patch 7 Hot Fix 3b

ServiceNow   < Vancouver Patch 8 Hot Fix 4

ServiceNow   < Vancouver Patch 9 Hot Fix 1

ServiceNow   < Vancouver Patch 10

Vancouver   Patch 6 Hot Fix 2

Vancouver   Patch 7 Hot Fix 3b

Vancouver   Patch 8 Hot Fix 4

Vancouver   Patch 9 Hot Fix 1

Vancouver   Patch 10

ServiceNow   < Washington DC Patch 1 Hot Fix 3b

ServiceNow   < Washington DC Patch 2 Hot Fix 2

ServiceNow   < Washington DC Patch 3 Hot Fix 2

ServiceNow   < Washington DC Patch 4

ServiceNow   < Washington DC Patch 5

Washington   DC Patch 1 Hot Fix 3b

Washington   DC Patch 2 Hot Fix 2

Washington   DC Patch 3 Hot Fix 2

Washington   DC Patch 4

Washington   DC Patch 5

CVE-2024-5178

ServiceNow   < Utah Patch 10 Hot Fix 3

ServiceNow   < Utah Patch 10a Hot Fix 2

ServiceNow   < Utah Patch 10b Hot Fix 1

Utah Patch   10 Hot Fix 3

Utah Patch   10a Hot Fix 2

Utah Patch   10b Hot Fix 1

ServiceNow   < Vancouver Patch 6 Hot Fix 2

ServiceNow   < Vancouver Patch 7 Hot Fix 3b

ServiceNow   < Vancouver Patch 8 Hot Fix 4

ServiceNow   < Vancouver Patch 9 Hot Fix 1

ServiceNow   < Vancouver Patch 10

Vancouver   Patch 6 Hot Fix 2

Vancouver   Patch 7 Hot Fix 3b

Vancouver   Patch 8 Hot Fix 4

Vancouver   Patch 9 Hot Fix 1

Vancouver   Patch 10

ServiceNow   < Washington DC Patch 1 Hot Fix 3b

ServiceNow   < Washington DC Patch 2 Hot Fix 2

ServiceNow   < Washington DC Patch 3 Hot Fix 2

ServiceNow   < Washington DC Patch 4

Washington   DC Patch 1 Hot Fix 3b

Washington   DC Patch 2 Hot Fix 2

Washington   DC Patch 3 Hot Fix 2

Washington   DC Patch 4

 


ËÄ¡¢°²È«´ëÊ©

4.1 Éý¼¶°æ±¾

Ä¿Ç°¸Ã·ì϶ÒѾ­½¨¸´ £¬ÊÜÓ°ÏìÓû§¿É²Î¿¼Éϱí £¬ÊµÊ±¸üв¹¶¡»òÉý¼¶µ½×îа汾¡£

ÏÂÔØÁ´½Ó£º

https://support.servicenow.com/now

4.2 һʱ´ëÊ©

ÔÝÎÞ¡£

4.3 ͨÓý¨Òé

l  ¶¨ÆÚ¸üÐÂϵͳ²¹¶¡ £¬Ï÷¼õϵͳ·ì϶ £¬ÌáÉý·þÎñÆ÷µÄ°²È«ÐÔ¡£

l  ¼ÓǿϵͳºÍÍøÂçµÄ½Ó¼û½ÚÔì £¬Åú¸Ä·À»ðǽսÊõ £¬¹Ø¹Ø·Ç±ØÒªµÄÀûÓö˿ڻò·þÎñ £¬Ï÷¼õ½«Î£ÏÕ·þÎñ£¨ÈçSSH¡¢RDPµÈ£©Â¶³öµ½¹«Íø £¬Ï÷¼õ¹¥»÷Ãæ¡£

l  ʹÓÃÆóÒµ¼¶°²È«²úÆ· £¬ÌáÉýÆóÒµµÄÍøÂ簲ȫ»úÄÜ¡£

l  ¼ÓǿϵͳÓû§ºÍȨÏÞÖÎÀí £¬ÆôÓöà³É·ÖÈÏÖ¤»úÔìºÍ×îÓ×ȨÏÞ×¼Ôò £¬Óû§ºÍÈí¼þȨÏÞӦά³ÖÔÚ×îµÍÏ޶ȡ£

l  ÆôÓÃÇ¿ÃÜÂëÕ½Êõ²¢ÉèÖÃΪ¶¨ÆÚÅú¸Ä¡£

4.4 ²Î¿¼Á´½Ó

https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313

 

Îå¡¢°æ±¾ÐÅÏ¢

°æ±¾

ÈÕÆÚ

±¸×¢

V1.0

2024-07-12

³õ´Î°ä²¼

V1.1

2024-07-16

ÐÂÔö·ì϶¸´ÏÖ



Áù¡¢¸½Â¼

6.1 GA»Æ½ð¼×¼ò½é

GA»Æ½ð¼×³ÉÁ¢ÓÚ1996Äê £¬ÊÇÓÉÁôÃÀ²©Ê¿ÑÏÍû¼ÑŮʿ´´½¨µÄ¡¢Õ¼ÓÐÆëÈ«×ÔÖ÷֪ʶ²úȨµÄÐÅÏ¢°²È«¸ß¿Æ¼¼ÆóÒµ¡£ÊǹúÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢°²È«²úÆ·¡¢°²È«·þÎñ½â¾ö¹æ»®µÄÁ캽ÆóÒµÖ®Ò»¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°GA»Æ½ð¼×´óÏà £¬¹«Ë¾Ô±¹¤6000ÓàÈË £¬Ñз¢ÍŶÓ1200ÓàÈË, ¼¼Êõ·þÎñÍŶÓ1300ÓàÈË¡£ÔÚÈ«¹ú¸÷Ê¡¡¢ÊÓ×¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö £¬Õ¼Óи²¸ÇÈ«¹úµÄÏúÊÛϵͳ¡¢Çþ·ϵͳºÍ¼¼ÊõÖ§³Öϵͳ¡£¹«Ë¾ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉîÛÚÖÐÓ×°å¹ÒÅÆÉÏÊС££¨¹ÉƱ´úÂ룺002439£©

¶àÄêÀ´ £¬GA»Æ½ð¼×ÖÂÁ¦ÓÚÌṩӵÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷´´Ðµİ²È«²úÆ·ºÍ×î¼Ñʵ¼Ê·þÎñ £¬Ô®ÊÖ¿Í»§È«ÃæÌáÉýÆäIT»ù´¡ÉèÊ©µÄ°²È«ÐԺͳö²úЧÁ¦ £¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢°²È«²úÒµÁì¾üÆ·Åƶø²»Ð¸ÖÂÁ¦¡£

6.2 ¹ØÓÚGA»Æ½ð¼×

GA»Æ½ð¼×°²È«Ó¦¼±ÏìÓ¦ÖÐÐÄÒÑ°ä²¼1000¶à¸ö·ì϶¹«¸æ΢·çÏÕÔ¤¾¯ £¬ÎÒÃǽ«³ÖÐø¸ú×ÙÈ«Çò×îеÄÍøÂ簲ȫÊÂÎñºÍ·ì϶ £¬ÎªÆóÒµµÄÐÅÏ¢°²È«±£¼Ý»¤º½¡£

¹Ø×¢ÎÒÃÇ£º

image.png