Analyst readout for executives and security teams
Plain-English summary
Oracle ASR Manager before 5.7 has a flaw that could let someone already able to log on to the infrastructure where ASR runs tamper with some ASR-accessible data or partially disrupt ASR service. This is operationally important for organizations relying on ASR for Oracle support automation.
Executive priority
Treat as a moderate operational risk. Prioritize remediation where ASR supports critical support workflows or runs on shared infrastructure with broad local access.
Technical view
CVE-2017-3505 affects Oracle Support Tools Automatic Service Request, ASR Manager prior to 5.7. The CVE lists CVSS 3.0 5.1 with local attack vector, low complexity, no privileges, and no user interaction. Impact is limited integrity and availability, with no confidentiality impact stated.
Likely exposure
Exposure is likely limited to environments running Oracle ASR Manager prior to 5.7, especially where users or processes have logon access to ASR infrastructure. The source bundle does not identify internet-facing exploitation.
Exploitation context
The CVE says exploitation is easy but requires logon to the infrastructure where ASR executes. CISA KEV is false in the bundle, and no cited source reports active exploitation.
Researcher notes
Evidence is sparse beyond the CVE and Oracle advisory reference. No CWE, exploit details, or named patch artifact are provided in the bundle. The key scoping point is local infrastructure access, not unauthenticated internet exposure.
Mitigation direction
- Identify all Oracle ASR Manager deployments and versions.
- Upgrade ASR Manager to 5.7 or later per Oracle guidance.
- Review Oracle's April 2017 Critical Patch Update for applicable remediation details.
- Restrict logon access to systems where ASR Manager runs.
- Monitor ASR data changes and service availability for anomalies.
Validation and detection
- Confirm whether any ASR Manager instance is prior to 5.7.
- Verify ASR hosts are not broadly accessible to non-administrative users.
- Check change logs for unauthorized ASR data updates, inserts, or deletes.
- Review service monitoring for partial ASR availability disruptions.
- Document remediation status against the Oracle CPU reference.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2017-3505 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.htmlCVE reference · x_refsource_CONFIRM
- 97814CVE reference · vdb-entry, x_refsource_BID
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
