CVE-2017-3240 Oracle CVE debrief

Who should care

Oracle Database administrators, security teams managing hosts that run Oracle Database Server 12.1.0.2, and operators who allow local logon access on database infrastructure.

Technical summary

The supplied NVD data classifies the flaw as CVE-200 with CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. That means the attack requires local access and low privileges, has no user interaction, and results in limited confidentiality impact without integrity or availability impact. The vulnerable CPE in the corpus is oracle:database_server:12.1.0.2.

Defensive priority

Low to moderate. It is not a remote, high-impact flaw, but it still merits patching on affected Oracle Database Server 12.1.0.2 systems, especially where local logon access is available to untrusted or multi-user operators.

Recommended defensive actions

• Review Oracle's January 2017 Critical Patch Update advisory for the affected release and apply the vendor fix for Database Server 12.1.0.2.
• Confirm whether Oracle Database Server 12.1.0.2 is deployed on any host that permits local logon access by non-administrators.
• Restrict local access to database hosts and limit who can log on where RDBMS Security executes.
• Verify that compensating controls and routine patch management cover Oracle CPU advisories for database infrastructure.
• Track the CVE in vulnerability management, but treat it as a lower-priority item than remotely exploitable or integrity-impacting issues.

Evidence notes

This debrief is based only on the supplied NVD record and Oracle advisory reference in the corpus. The CVE was published on 2017-01-27T22:59:02.303Z; the NVD record was later modified on 2026-05-13T00:24:29.033Z, which is record maintenance timing and not the vulnerability's original disclosure date. The corpus lists Oracle's CPU January 2017 advisory as the vendor patch reference and identifies Oracle Database Server 12.1.0.2 as vulnerable.

Official resources