CVE-2024-4879

What is ServiceNow?

ServiceNow is a cloud-based enterprise service management platform used by thousands of large organizations worldwide for IT service management (ITSM), HR service delivery, customer service management, and business process automation. ServiceNow instances contain highly sensitive organizational data: IT asset inventories, employee records, service desk tickets (often containing credentials and system details), security incident records, and automated workflows with privileged access to enterprise systems. An unauthenticated RCE on a ServiceNow instance typically provides an attacker with a foothold into one of the most data-rich and privileged systems in the enterprise.

Overview

CVE-2024-4879 is a jelly template injection vulnerability in ServiceNow's UI macros functionality that allows an unauthenticated remote attacker to execute arbitrary code on the ServiceNow platform. Jelly is ServiceNow's XML-based templating language used for UI rendering; insufficient input validation allows attacker-supplied template syntax to be evaluated server-side. Disclosed July 10, 2024, it was exploited in the wild within weeks alongside CVE-2024-5217 (a related GlideExpression injection), prompting CISA KEV addition on July 29. Both vulnerabilities affect the Utah, Vancouver, and Washington DC Now Platform releases.

Affected Versions

ServiceNow releases fixes as hotfixes applied through the instance update mechanism. Consult KB1645154 for the specific patch for your release.

Technical Details

CWE-1287 (Improper Validation of Specified Type of Input). ServiceNow's Jelly templating engine evaluates XML template markup to generate UI content. The UI macros feature allows template content to reference server-side objects and execute ServiceNow scripting. Insufficient input validation in a UI macro rendering path allows an unauthenticated attacker to inject Jelly template syntax that is evaluated by the server, resulting in arbitrary code execution within the ServiceNow platform context.

CVE-2024-4879 and CVE-2024-5217 (GlideExpression script injection) were frequently exploited together. CVE-2024-4879 targets the UI macro Jelly rendering path, while CVE-2024-5217 targets the GlideExpression evaluation path — both achieve unauthenticated server-side code execution through different injection points on the same platform.

Discovery

Reported to ServiceNow through coordinated disclosure. ServiceNow published the patches on July 10, 2024, the same day the CVEs were disclosed.

Exploitation Context

Exploitation was observed in the wild shortly after disclosure, targeting internet-accessible ServiceNow instances. Threat actors used the unauthenticated RCE to extract ServiceNow database contents — including user tables, service desk ticket data (which often contains embedded credentials and system information), and configuration data. The broad organizational data stored in ServiceNow made these instances high-value targets. Mass scanning for vulnerable ServiceNow instances was observed on the internet within days of disclosure. CISA added both CVE-2024-4879 and CVE-2024-5217 to the KEV catalog on the same date.

Remediation

1. Apply the ServiceNow hotfix for your release as described in KB1645154. ServiceNow instances should be set to automatically accept and apply patches.
2. Verify the patch is applied by checking the instance's system update log.
3. Restrict access to the ServiceNow instance: consider IP allowlisting for the login page, or enforce VPN/SSO requirements for access.
4. Review ServiceNow system logs for unauthorized script execution or unusual data access patterns that may indicate prior exploitation.
5. Apply the patch for CVE-2024-5217 simultaneously — both vulnerabilities should be addressed together.