LiveActive security incident?Get immediate response
CVE Record

CVE-2017-3505: Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR M...

Vulnerability in the Automatic Service Request (ASR) component of Oracle Support Tools (subcomponent: ASR Manager). The supported version that is affected is Prior to 5.7. Easily "exploitable" vulnerability allows unauthenticated attacker with logon to the infrastructure where Automatic Service Request (ASR) executes to compromise Automatic Service Request (ASR). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Automatic Service Request (ASR) accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Automatic Service Request (ASR). CVSS 3.0 Base Score 5.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's Takemoderate

Analyst readout for executives and security teams

Plain-English summary

Oracle ASR Manager before 5.7 has a flaw that could let someone already able to log on to the infrastructure where ASR runs tamper with some ASR-accessible data or partially disrupt ASR service. This is operationally important for organizations relying on ASR for Oracle support automation.

Executive priority

Treat as a moderate operational risk. Prioritize remediation where ASR supports critical support workflows or runs on shared infrastructure with broad local access.

Technical view

CVE-2017-3505 affects Oracle Support Tools Automatic Service Request, ASR Manager prior to 5.7. The CVE lists CVSS 3.0 5.1 with local attack vector, low complexity, no privileges, and no user interaction. Impact is limited integrity and availability, with no confidentiality impact stated.

Likely exposure

Exposure is likely limited to environments running Oracle ASR Manager prior to 5.7, especially where users or processes have logon access to ASR infrastructure. The source bundle does not identify internet-facing exploitation.

Exploitation context

The CVE says exploitation is easy but requires logon to the infrastructure where ASR executes. CISA KEV is false in the bundle, and no cited source reports active exploitation.

Researcher notes

Evidence is sparse beyond the CVE and Oracle advisory reference. No CWE, exploit details, or named patch artifact are provided in the bundle. The key scoping point is local infrastructure access, not unauthenticated internet exposure.

Mitigation direction

  • Identify all Oracle ASR Manager deployments and versions.
  • Upgrade ASR Manager to 5.7 or later per Oracle guidance.
  • Review Oracle's April 2017 Critical Patch Update for applicable remediation details.
  • Restrict logon access to systems where ASR Manager runs.
  • Monitor ASR data changes and service availability for anomalies.

Validation and detection

  • Confirm whether any ASR Manager instance is prior to 5.7.
  • Verify ASR hosts are not broadly accessible to non-administrative users.
  • Check change logs for unauthorized ASR data updates, inserts, or deletes.
  • Review service monitoring for partial ASR availability disruptions.
  • Document remediation status against the Oracle CPU reference.
Prepared
Confidence
medium
Sources
4

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2017-3505 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Oracle CorporationAutomatic Service Request (ASR)unspecifiedListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.