CVE-2017-17677: BMC Remedy 9.1SP3 is affected by authenticated code execution.
BMC Remedy 9.1SP3 is affected by authenticated code execution. Authenticated users that have the right to create reports can use BIRT templates to run code.
Security readout for executives and security teams
Plain-English summary
CVE-2017-17677 is an authenticated code execution issue in BMC Remedy 9.1SP3. A user who can create reports may be able to use BIRT templates to run code. This is mainly an insider, compromised-account, or over-privileged-user risk, but the impact can be serious where Remedy is business-critical.
Executive priority
Prioritize assessment if Remedy 9.1SP3 supports service management, operations, or regulated workflows. The issue requires privileges, but successful abuse could turn a normal account into code execution on a sensitive enterprise platform.
Technical view
The CVE describes code execution through BIRT report templates in BMC Remedy 9.1SP3, requiring authentication and report-creation rights. No CVSS, CWE, detailed affected CPEs, or confirmed exploitation are provided in the source bundle. BMC published a Remedy AR System security fixes page, but exact remediation details are not included here.
Likely exposure
Organizations running BMC Remedy 9.1SP3 are potentially exposed, especially where many users can create reports or upload/manage BIRT templates. Exposure is lower where reporting rights are tightly limited and vendor fixes are applied.
Exploitation context
The source bundle supports authenticated code execution by users with report-creation rights. It does not support active exploitation, public weaponized exploitation, unauthenticated access, or broad version impact beyond the named Remedy 9.1SP3 description.
Researcher notes
The public record is sparse: severity, CVSS, CWE, CPEs, and detailed fixed versions are absent from the bundle. Treat the Full Disclosure reference as context, but rely on BMC guidance for remediation confirmation.
Mitigation direction
Check BMC guidance for the Remedy AR System security fixes referenced by the CVE.
Apply relevant vendor fixes or upgrades for affected Remedy AR System deployments.
Restrict report-creation rights to trusted administrative users only.
Review whether BIRT template use can be limited or disabled safely.
Monitor for unexpected report template changes or unusual report execution activity.
Validation and detection
Inventory BMC Remedy deployments and confirm whether version 9.1SP3 is present.
Review user and group permissions for report creation rights.
Check whether BIRT templates are enabled or accepted in reporting workflows.
Confirm patch status against the referenced BMC security fixes page.
Review audit logs for unexpected report or template creation activity.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Execution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
1ADP providers
3Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
May 19, 2021, 13:11 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.