CVE-2024-8924
📋 TL;DR
ServiceNow Now Platform has a blind SQL injection vulnerability that allows unauthenticated attackers to extract unauthorized information from the database. This affects ServiceNow hosted instances and self-hosted customers. The vulnerability has been patched by ServiceNow.
💻 Affected Systems
- ServiceNow Now Platform
📦 What is this software?
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
Servicenow by Servicenow
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive customer data, configuration secrets, and user credentials
Likely Case
Extraction of sensitive business data, user information, and configuration details
If Mitigated
No impact if patched or proper network controls prevent access
🎯 Exploit Status
Blind SQL injection requires specialized techniques but unauthenticated access lowers barrier. No public exploit code available at time of advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check ServiceNow KB1706072 for specific patch versions
Vendor Advisory: https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1706072
Restart Required: Yes
Instructions:
1. Access ServiceNow instance admin console. 2. Check current platform version. 3. Apply ServiceNow-provided patch or hotfix. 4. Restart ServiceNow instance. 5. Verify patch application.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to ServiceNow instances to authorized networks only
Web Application Firewall
allDeploy WAF with SQL injection protection rules
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ServiceNow instances
- Deploy intrusion detection/prevention systems with SQL injection signatures
🔍 How to Verify
Check if Vulnerable:
Check ServiceNow instance version against affected versions in KB1706072Check Version:
Check ServiceNow System Properties > System Information for platform versionVerify Fix Applied:
Verify patch installation through ServiceNow admin console and confirm version is updated📡 Detection & Monitoring
Log Indicators:
- Unusual database query patterns
- Multiple failed SQL-like requests from single source
- Requests with SQL syntax in parameters
Network Indicators:
- Unusual outbound database connections
- Patterns of timed boolean-based requests
SIEM Query:
source="servicenow" AND (url="*sql*" OR parameters="*SELECT*" OR parameters="*UNION*" OR parameters="*WAITFOR*" OR parameters="*SLEEP*")