¡¾Îó²îͨ¸æ¡¿ServiceNow JellyÄ£°å×¢ÈëÎó²î£¨CVE-2024-4879£©

Ðû²¼Ê±¼ä 2024-07-12

 

Ò»¡¢Îó²î¸ÅÊö

Îó²îÃû³Æ

ServiceNow JellyÄ£°å×¢ÈëÎó²î

CVE   ID

CVE-2024-4879

Îó²îÀàÐÍ

×¢Èë

·¢Ã÷ʱ¼ä

2024-07-04

Îó²îÆÀ·Ö

9.3

Îó²îÆ·¼¶

¸ßΣ

¹¥»÷ÏòÁ¿

ÍøÂç

ËùÐèȨÏÞ

ÎÞ

ʹÓÃÄѶÈ

µÍ

Óû§½»»¥

ÎÞ

PoC/EXP

ÒѹûÕæ

ÔÚҰʹÓÃ

δ·¢Ã÷

 

ServiceNowÊÇÒ»ÖÖ»ùÓÚÔÆÅÌËãµÄÆóҵЧÀÍÖÎÀí£¨ESM£©Æ½Ì¨£¬£¬£¬£¬£¬ËüÌṩÁËÒ»Ì×ÖÜÈ«µÄ½â¾ö¼Æ»®£¬£¬£¬£¬£¬ÓÃÓÚÖÎÀíºÍ×Ô¶¯»¯ÆóÒµµÄЧÀͺÍÔËÓª¡£¡£¡£¡£

2024Äê7ÔÂ12ÈÕ£¬£¬£¬£¬£¬Z6×ðÁú¿­Ê±¼¯ÍÅVSRC¼à²âµ½ServiceNowÖÐÐÞ¸´Á˶à¸öÎó²î£¬£¬£¬£¬£¬ÏÖÔÚÕâЩÎó²îµÄϸ½Ú¼°PoCÒѹûÕ棬£¬£¬£¬£¬ÏêÇéÈçÏ£º

CVE-2024-4879 £ºServiceNow JellyÄ£°å×¢ÈëÎó²î

ServiceNow UIºêÖб£´æJellyÄ£°å×¢ÈëÎó²î£¬£¬£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄÍþвÕß¿ÉʹÓøÃÎó²î×¢Èë¶ñÒâ´úÂ룬£¬£¬£¬£¬´Ó¶øÈƹýÇå¾²¿ØÖÆ¡¢ÇÔÈ¡Ãô¸ÐÐÅÏ¢»òµ¼ÖÂÔ¶³ÌÖ´ÐдúÂ룬£¬£¬£¬£¬¸ÃÎó²îµÄCVSSÆÀ·ÖΪ9.3¡£¡£¡£¡£

CVE-2024-5217£ºServiceNow Glide±í´ïʽעÈëÎó²î

ÓÉÓÚ GlideExpressionScript ÀàÖжÔÓû§ÊäÈë¹ýÂ˲»µ±£¬£¬£¬£¬£¬Î´¾­Éí·ÝÑéÖ¤µÄÍþвÕß¿Éͨ¹ý/login.do½Ó¿ÚµÄjvar_page_title²ÎÊýת´ï¶ñÒâÄÚÈݵ¼ÖÂÔ¶³Ì´úÂëÖ´ÐУ¬£¬£¬£¬£¬¸ÃÎó²îµÄCVSSÆÀ·ÖΪ9.2¡£¡£¡£¡£

CVE-2024-5178£ºServiceNowÎļþ¶ÁÊØÐÅϢй¶Îó²î

ÓÉÓÚSecurelyAccess API Öб£´æÊäÈëÑéÖ¤²»ÍêÉÆ£¬£¬£¬£¬£¬¿ÉÄܵ¼ÖÂÖÎÀíÓû§Î´¾­ÊÚȨ»á¼û Web Ó¦ÓóÌÐòЧÀÍÆ÷ÉϵÄÃô¸ÐÎļþ£¬£¬£¬£¬£¬Ôì³ÉÐÅϢй¶£¬£¬£¬£¬£¬¸ÃÎó²îµÄCVSSÆÀ·ÖΪ6.9¡£¡£¡£¡£


¶þ¡¢Îó²î¸´ÏÖ

¡¾Îó²î¸´ÏÖ¡¿ServiceNow JellyÄ£°å×¢ÈëÎó²î£¨CVE-2024-4879£©.jpg


 

Èý¡¢Ó°Ïì¹æÄ£

CVE

ÊÜÓ°ÏìServiceNow°æ±¾

ÐÞ¸´°æ±¾

CVE-2024-4879

ServiceNow   < Utah Patch 10 Hot Fix 3

ServiceNow   < Utah Patch 10a Hot Fix 2

Utah Patch   10 Hot Fix 3

Utah Patch   10a Hot Fix 2

ServiceNow   < Vancouver Patch 6 Hot Fix 2

ServiceNow   < Vancouver Patch 7 Hot Fix 3b

ServiceNow   < Vancouver Patch 8 Hot Fix 4

ServiceNow   < Vancouver Patch 9

ServiceNow   < Vancouver Patch 10

Vancouver   Patch 6 Hot Fix 2

Vancouver   Patch 7 Hot Fix 3b

Vancouver   Patch 8 Hot Fix 4

Vancouver   Patch 9

Vancouver   Patch 10

ServiceNow   < Washington DC Patch 1 Hot Fix 2b

ServiceNow   < Washington DC Patch 2 Hot Fix 2

ServiceNow   < Washington DC Patch 3 Hot Fix 1

ServiceNow   < Washington DC Patch 4

Washington   DC Patch 1 Hot Fix 2b

Washington   DC Patch 2 Hot Fix 2

Washington   DC Patch 3 Hot Fix 1

Washington   DC Patch 4

CVE-2024-5217

ServiceNow   < Utah Patch 10 Hot Fix 3

ServiceNow   < Utah Patch 10a Hot Fix 2

ServiceNow   < Utah Patch 10b Hot Fix 1

Utah Patch   10 Hot Fix 3

Utah Patch   10a Hot Fix 2

Utah Patch   10b Hot Fix 1

ServiceNow   < Vancouver Patch 6 Hot Fix 2

ServiceNow   < Vancouver Patch 7 Hot Fix 3b

ServiceNow   < Vancouver Patch 8 Hot Fix 4

ServiceNow   < Vancouver Patch 9 Hot Fix 1

ServiceNow   < Vancouver Patch 10

Vancouver   Patch 6 Hot Fix 2

Vancouver   Patch 7 Hot Fix 3b

Vancouver   Patch 8 Hot Fix 4

Vancouver   Patch 9 Hot Fix 1

Vancouver   Patch 10

ServiceNow   < Washington DC Patch 1 Hot Fix 3b

ServiceNow   < Washington DC Patch 2 Hot Fix 2

ServiceNow   < Washington DC Patch 3 Hot Fix 2

ServiceNow   < Washington DC Patch 4

ServiceNow   < Washington DC Patch 5

Washington   DC Patch 1 Hot Fix 3b

Washington   DC Patch 2 Hot Fix 2

Washington   DC Patch 3 Hot Fix 2

Washington   DC Patch 4

Washington   DC Patch 5

CVE-2024-5178

ServiceNow   < Utah Patch 10 Hot Fix 3

ServiceNow   < Utah Patch 10a Hot Fix 2

ServiceNow   < Utah Patch 10b Hot Fix 1

Utah Patch   10 Hot Fix 3

Utah Patch   10a Hot Fix 2

Utah Patch   10b Hot Fix 1

ServiceNow   < Vancouver Patch 6 Hot Fix 2

ServiceNow   < Vancouver Patch 7 Hot Fix 3b

ServiceNow   < Vancouver Patch 8 Hot Fix 4

ServiceNow   < Vancouver Patch 9 Hot Fix 1

ServiceNow   < Vancouver Patch 10

Vancouver   Patch 6 Hot Fix 2

Vancouver   Patch 7 Hot Fix 3b

Vancouver   Patch 8 Hot Fix 4

Vancouver   Patch 9 Hot Fix 1

Vancouver   Patch 10

ServiceNow   < Washington DC Patch 1 Hot Fix 3b

ServiceNow   < Washington DC Patch 2 Hot Fix 2

ServiceNow   < Washington DC Patch 3 Hot Fix 2

ServiceNow   < Washington DC Patch 4

Washington   DC Patch 1 Hot Fix 3b

Washington   DC Patch 2 Hot Fix 2

Washington   DC Patch 3 Hot Fix 2

Washington   DC Patch 4

 


ËÄ¡¢Çå¾²²½·¥

4.1 Éý¼¶°æ±¾

ÏÖÔÚ¸ÃÎó²îÒѾ­ÐÞ¸´£¬£¬£¬£¬£¬ÊÜÓ°ÏìÓû§¿É²Î¿¼Éϱí£¬£¬£¬£¬£¬ÊµÊ±¸üв¹¶¡»òÉý¼¶µ½×îа汾¡£¡£¡£¡£

ÏÂÔØÁ´½Ó£º

https://support.servicenow.com/now

4.2 ÔÝʱ²½·¥

ÔÝÎÞ¡£¡£¡£¡£

4.3 ͨÓý¨Òé

l  °´ÆÚ¸üÐÂϵͳ²¹¶¡£¬£¬£¬£¬£¬ïÔ̭ϵͳÎó²î£¬£¬£¬£¬£¬ÌáÉýЧÀÍÆ÷µÄÇå¾²ÐÔ¡£¡£¡£¡£

l  ÔöǿϵͳºÍÍøÂçµÄ»á¼û¿ØÖÆ£¬£¬£¬£¬£¬Ð޸ķÀ»ðǽսÂÔ£¬£¬£¬£¬£¬¹Ø±Õ·ÇÐëÒªµÄÓ¦Óö˿ڻòЧÀÍ£¬£¬£¬£¬£¬ïÔÌ­½«Î£ÏÕЧÀÍ£¨ÈçSSH¡¢RDPµÈ£©Ì»Â¶µ½¹«Íø£¬£¬£¬£¬£¬ïÔÌ­¹¥»÷Ãæ¡£¡£¡£¡£

l  ʹÓÃÆóÒµ¼¶Çå¾²²úÆ·£¬£¬£¬£¬£¬ÌáÉýÆóÒµµÄÍøÂçÇå¾²ÐÔÄÜ¡£¡£¡£¡£

l  ÔöǿϵͳÓû§ºÍȨÏÞÖÎÀí£¬£¬£¬£¬£¬ÆôÓöàÒòËØÈÏÖ¤»úÖƺÍ×îСȨÏÞÔ­Ôò£¬£¬£¬£¬£¬Óû§ºÍÈí¼þȨÏÞÓ¦¼á³ÖÔÚ×îµÍÏ޶ȡ£¡£¡£¡£

l  ÆôÓÃÇ¿ÃÜÂëÕ½ÂÔ²¢ÉèÖÃΪ°´ÆÚÐ޸ġ£¡£¡£¡£

4.4 ²Î¿¼Á´½Ó

https://www.assetnote.io/resources/research/chaining-three-bugs-to-access-all-your-servicenow-data

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645154

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1648313

 

Îå¡¢°æ±¾ÐÅÏ¢

°æ±¾

ÈÕÆÚ

±¸×¢

V1.0

2024-07-12

Ê×´ÎÐû²¼

V1.1

2024-07-16

ÐÂÔöÎó²î¸´ÏÖ



Áù¡¢¸½Â¼

6.1 Z6×ðÁú¿­Ê±¼ò½é

Z6×ðÁú¿­Ê±½¨ÉèÓÚ1996Ä꣬£¬£¬£¬£¬ÊÇÓÉÁôÃÀ²©Ê¿ÑÏÍû¼ÑŮʿ½¨ÉèµÄ¡¢ÓµÓÐÍêÈ«×ÔÖ÷֪ʶ²úȨµÄÐÅÏ¢Çå¾²¸ß¿Æ¼¼ÆóÒµ¡£¡£¡£¡£ÊǺ£ÄÚ×î¾ßʵÁ¦µÄÐÅÏ¢Çå¾²²úÆ·¡¢Ç徲ЧÀͽâ¾ö¼Æ»®µÄÁ캽ÆóÒµÖ®Ò»¡£¡£¡£¡£

¹«Ë¾×ܲ¿Î»ÓÚ±±¾©ÊÐÖйشåÈí¼þÔ°Z6×ðÁú¿­Ê±´óÏ㬣¬£¬£¬£¬¹«Ë¾Ô±¹¤6000ÓàÈË£¬£¬£¬£¬£¬Ñз¢ÍŶÓ1200ÓàÈË, ÊÖÒÕЧÀÍÍŶÓ1300ÓàÈË¡£¡£¡£¡£ÔÚÌìϸ÷Ê¡¡¢ÊС¢×ÔÖÎÇøÉèÁ¢·ÖÖ§»ú¹¹ÁùÊ®¶à¸ö£¬£¬£¬£¬£¬ÓµÓÐÁýÕÖÌìϵÄÏúÊÛϵͳ¡¢ÇþµÀϵͳºÍÊÖÒÕÖ§³Öϵͳ¡£¡£¡£¡£¹«Ë¾ÓÚ2010Äê6ÔÂ23ÈÕÔÚÉîÛÚÖÐС°å¹ÒÅÆÉÏÊС£¡£¡£¡££¨¹ÉƱ´úÂ룺002439£©

¶àÄêÀ´£¬£¬£¬£¬£¬Z6×ðÁú¿­Ê±ÖÂÁ¦ÓÚÌṩ¾ßÓйú¼Ê¾ºÕùÁ¦µÄ×ÔÖ÷Á¢ÒìµÄÇå¾²²úÆ·ºÍ×î¼Ñʵ¼ùЧÀÍ£¬£¬£¬£¬£¬×ÊÖú¿Í»§ÖÜÈ«ÌáÉýÆäIT»ù´¡ÉèÊ©µÄÇå¾²ÐÔºÍÉú²úЧÄÜ£¬£¬£¬£¬£¬Îª´òÔìºÍÌáÉý¹ú¼Ê»¯µÄÃñ×åÐÅÏ¢Çå¾²¹¤ÒµÁì¾üÆ·Åƶø²»Ð¸Æ𾢡£¡£¡£¡£

6.2 ¹ØÓÚZ6×ðÁú¿­Ê±

Z6×ðÁú¿­Ê±Çå¾²Ó¦¼±ÏìÓ¦ÖÐÐÄÒÑÐû²¼1000¶à¸öÎó²îͨ¸æºÍΣº¦Ô¤¾¯£¬£¬£¬£¬£¬ÎÒÃǽ«Ò»Á¬¸ú×ÙÈ«Çò×îеÄÍøÂçÇå¾²ÊÂÎñºÍÎó²î£¬£¬£¬£¬£¬ÎªÆóÒµµÄÐÅÏ¢Çå¾²±£¼Ý»¤º½¡£¡£¡£¡£

¹Ø×¢ÎÒÃÇ£º

image.png