CVE-2017-3246 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, patch-management teams, and security teams responsible for servers where Oracle Application Object Library runs, especially environments that allow high-privilege infrastructure logons.

Technical summary

NVD assigns CVE-2017-3246 a CVSS v3.0 base score of 6.0 with vector CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. The issue requires local access and high privileges on the infrastructure hosting Oracle Application Object Library, but no user interaction. The supplied CPE data marks Oracle Application Object Library 12.1.3 and 12.2.3 through 12.2.6 as vulnerable, with confidentiality and integrity impact only.

Defensive priority

Medium

Recommended defensive actions

• Check whether Oracle E-Business Suite deployments include Oracle Application Object Library versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
• Apply the Oracle January 2017 Critical Patch Update guidance referenced in the NVD record for this CVE.
• Limit and monitor high-privilege logon access to the infrastructure where Oracle Application Object Library executes.
• Review administrative access, patching workflows, and change-control protections around Oracle E-Business Suite servers.
• Validate that affected systems are patched and that access to critical data is constrained and logged.

Evidence notes

The supplied record shows CVE publication on 2017-01-27 and a later record modification on 2026-05-13; the later date reflects metadata updates, not initial disclosure. NVD lists Oracle's January 2017 CPU advisory as the vendor patch reference and gives the CVSS vector CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. The provided enrichment does not mark this CVE as a Known Exploited Vulnerability (KEV).

Official resources