Ensure that the glide.xml.entity.whitelist and glide.xml.entity.whitelist.enabled properties are set to the recommended values to prevent XML external entity (XXE) attacks.

Protect against XXE attacks by using an allow list to prevent attackers from including arbitrary HTTP requests that the server may execute. This could lead to additional attacks using the server's trust relationship with other entities.

Add http://java.sun.com/j2ee/dtds/ to the value of the glide.xml.entity.whitelist system property, then set the glide.xml.entity.whitelist.enabled system property to true.

Values other than http://java.sun.com/j2ee/dtds/ can be included in the in the glide.xml.entity.whitelist property, but are unnecessary for the out of the box platform state. Review any additional values to determine if they are safe.

Warning: This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information

AttributeDescription
Property name glide.xml.entity.whitelist,glide.xml.entity.whitelist.enabled
Configuration type System Properties (/sys_properties_list.do)
Category Validation, sanitization, and encoding
Purpose This remediation control must be enabled to defend against XXE attacks.
Recommended value http://java.sun.com/j2ee/dtds/
Default value http://java.sun.com/j2ee/dtds/
Security risk rating 9.8
Functional Impact If the customization is using external entity, not inclusion listed in the glide.xml.entity.whitelist property, the NOW Platform might block further processing.
Security risk (Critical) An attacker can use the DTD to include arbitrary HTTP requests that the server might execute. This could lead to other attacks using the server's trust relationship with other entities.