529 views

 

Collection Mode | Customer FAQ


Table of Contents


1. What is the Collection Mode System Property?
2. What is Collection Mode System Plugin?
3. What are the risks associated with the Collection Mode property being enabled?
4. Why is ServiceNow completing a write audit on my instance?
5. Is there a requirement for our organization to participate in the write audit?
6. Is it possible to be excluded or to reschedule this write audit?
7. Why aren’t these properties already properly configured on my instance?
8. When will the maintenance occur?
9. What impact will this write audit have on the performance and availability of my production instance?
10. What actions will need to be taken if my instance is identified as needing to change the Collection Mode property?
11. Who can I contact if I have questions or run into problems?
12. What is the timeline for the completion of the write audits?
13. How will changing the Collection Mode property affect my instances?
14. After the write audits are completed on our instances, what are the next steps?
15. What happens if we have issues with our instances after the mitigation and write audit are complete?

1. What is the Collection Mode System Property?


The “Collection Mode” property allows for the direct calling of new Java packages that have not been called before. This property has been found to be enabled on instances that were procured prior to Calgary.

2. What is Collection Mode System Plugin?


Once enabled, this plugin manages the relationship between the server side code and Collection mode property to enforce security restrictions.

3. What are the risks associated with the Collection Mode property and/or Collection Mode System plugin?


When the “Collection Mode” property is enabled, new Java package calls are collected and remembered by your instance(s). When the Collection mode plug in is disabled, these Java package calls are able to be accessed without addition security restrictions. The importing and storing of these Java calls has been identified as a potential security risk to your instance and ServiceNow.

4. Why is ServiceNow completing a write audit on my instance?


ServiceNow is constantly in pursuit of maximizing the security of your instances. The disabling of the “Collection Mode” system property and enabling “Collection mode” System plugin will close the security gap that exists when importing Java package calls into an instance. Alternatively, the same actions will be performed using GlideScriptable equivalents.

5. What actions will ServiceNow be taking during this maintenance window?


During the maintenance window, ServiceNow will complete a write audit on your instance. This write audit will do one or both of the following on your instance(s):

  • disable the “Glide.whitelist.manager.collection_mode.override” and
  • enable the “com.glide.script.whitelist.0 “ plugin

These changes will prevent the calling of Java packages directly that have not been called before, bypassing the GlideScriptable API’s introduced in Calgary.

6. Is there a requirement for our organization to participate in the write audit? Is it possible to be excluded or to reschedule?


Participation in this maintenance is required. There is no anticipated downtime with this maintenance and it should have no negative impact on the performance of your instance.

7. Why aren’t these settings already properly configured on my instance?


Previously, these settings were not identified as a potential risk factor to instances. In recent security audits, is has been determined by the ServiceNow Security team that this the property must be enabled to ensure the security of customer instances and ServiceNow.

Collection Mode was designed to provide backwards compatibility for highly customized instances using Package calls that were created on a version prior to Calgary. As this can now be performed using whitelisted GlideScriptable equivalents, it has been determined that the “Collection Mode” state is no longer needed and can be disabled.

8. When will the maintenance occur?


This maintenance will be scheduled to occur during the time indicated in the incident assigned to you. You will receive an incident 14 days prior to when this maintenance will be scheduled which will provide you with the full details of when this maintenance will occur.

9. What impact will this write audit have on the performance and availability of my instance?


ServiceNow does not anticipate for downtime to occur during the write audit.

10. What actions are required in preparation for ServiceNow's completion of a write audit for the Collection Mode property?


There are no actions required in preparation of this maintenance.

11. Who can I contact if I have questions or run into problems?


Following the completion of the write audits, ensure that the instance is functioning as expected. If issues are experienced, contact the Customer Support team as soon as possible.

Visit the Contact Support page for contact information by region.

12. What is the timeline for the completion of the write audits?


Write audits will be completed for sub-production instances first. Once this has been completed and ServiceNow has verified that the write audit was completed successfully, the write audit for Production instances will be scheduled. You will receive a 14-day notification with details of this maintenance. This notification will the full details, including time and duration, of this maintenance.

13. How will changing the Collection Mode property affect my instances?


Disabling the “Collection Mode” property and enabling System property will increase the security of your instance (s). With this change, new Java package calls will no longer be collected. Previously used calls will not be impacted and will still be accessible. New customizations will require the use of Glide Scriptable API’s.

14. After the write audits are completed on our instance(s), what are the next steps?


Once the “Collection Mode” property has been disabled, there is no impact expected to the functionality of your instance. In regards to Java package calls, new calls will no longer be collected or remembered. However, previously used calls, that have been whitelisted, will not be impacted. New customizations to your instance will require the use of Glide Scriptable API’s.

15. What happens if we have issues with our instances after the mitigation and write audit are complete?


If you encounter issues with your instances once the write audit has been completed, contact the ServiceNow Customer Support team, and reference your incident.

Visit the Contact Support page for contact information by region.

The normal escalation process will be followed to remediate the problem.

Article Information

Last Updated:2017-09-21 11:15:21
Published:2017-02-22