PatchSiren cyber security CVE debrief

CVE-2017-3235 Oracle CVE debrief

CVE-2017-3235 is a low-severity Oracle FLEXCUBE Universal Banking issue affecting multiple 11.x and 12.x releases. Oracle and NVD describe it as easily exploitable with physical access and capable of unauthorized read and data modification on some accessible data. The main defense focus is strict physical-access control and following Oracle remediation guidance for affected deployments.

Vendor: Oracle
Product: CVE-2017-3235
CVSS: LOW 3.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle FLEXCUBE Universal Banking administrators, banking IT and security teams, and operators responsible for physical or local console access to affected 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, and 12.2.0 deployments.

Technical summary

The NVD record lists affected Oracle FLEXCUBE Universal Banking versions and a CVSS v3.0 vector of AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating physical access is required, no privileges are needed, and the impact is limited to confidentiality and integrity. Oracle’s description says successful attacks can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of accessible data. The record does not indicate availability impact.

Defensive priority

Low, because the vulnerability requires physical access; however, systems handling sensitive banking data should still be reviewed and protected.

Recommended defensive actions

Inventory Oracle FLEXCUBE Universal Banking instances and confirm whether any deployment matches the affected versions listed by NVD.
Restrict physical and local administrative access to systems running affected releases, including console, badge, and workstation controls.
Review Oracle's January 2017 CPU/vendor advisory referenced in the NVD record and apply Oracle remediation guidance or patches available for your environment.
Audit for unauthorized reads or changes to accessible banking data and verify change-control and access logs on affected systems.
If immediate remediation is not possible, place affected systems in tightly controlled physical and administrative access environments.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus. The CVE was published on 2017-01-27T22:59:02.177Z, and the NVD record was later modified on 2026-05-13T00:24:29.033Z. The affected versions, physical-access requirement, impact statement, and CVSS vector come from the provided NVD/CVE text. The Oracle January 2017 CPU advisory appears in the NVD reference list as a patch/vendor advisory.

Official resources

CVE-2017-3235 CVE record
CVE.org
CVE-2017-3235 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

CVE published at 2017-01-27T22:59:02.177Z; NVD record modified at 2026-05-13T00:24:29.033Z. Timing in this debrief uses the CVE published date for issue context.