PatchSiren cyber security CVE debrief
CVE-2017-3268 Oracle CVE debrief
CVE-2017-3268 is a high-severity availability issue in Oracle Outside In Technology. According to NVD and Oracle’s referenced CPU advisory, an unauthenticated attacker with network access via HTTP can trigger a hang or repeatable crash, resulting in complete denial of service for affected deployments. Oracle’s CVSS context also notes that impact depends on whether the embedding software forwards network-received data directly into Outside In Technology.
- Vendor
- Oracle
- Product
- CVE-2017-3268
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle Fusion Middleware operators and developers using Outside In Technology SDKs, especially products that ingest untrusted HTTP data and pass it into Outside In Filters or related Outside In components.
Technical summary
The vulnerability affects Oracle Outside In Technology versions 8.5.2 and 8.5.3. The attack vector is network-based and requires no authentication or user interaction. Successful exploitation can cause a hang or frequently repeatable crash, producing a complete denial of service. The published CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5). Oracle’s note in the CVE description says the effective score may be lower when the vulnerable code is not reached by network-delivered input.
Defensive priority
High for any internet-facing or externally reachable application that routes untrusted HTTP content into Outside In Technology; moderate for internal-only deployments or integrations where the data path is tightly controlled.
Recommended defensive actions
- Identify whether any application or service uses Oracle Outside In Technology 8.5.2 or 8.5.3, including embedded SDK deployments.
- Apply Oracle’s guidance from the January 2017 CPU advisory for the affected Outside In Technology versions.
- Reduce exposure by limiting which systems can submit content that reaches Outside In Technology, especially network-originated HTTP input.
- Add monitoring for repeated crashes, hangs, or unexpected restarts in services that depend on Outside In Filters.
- Review application architecture to determine whether network-received data is passed directly into Outside In Technology, since Oracle notes the practical impact depends on that path.
Evidence notes
Based on the NVD record for CVE-2017-3268 and the Oracle CPU January 2017 advisory referenced there. The CVE description explicitly states affected versions 8.5.2 and 8.5.3, unauthenticated network access via HTTP, and complete DoS via hang or repeatable crash. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Official resources
-
CVE-2017-3268 CVE record
CVE.org
-
CVE-2017-3268 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
- Source reference
Publicly disclosed in the CVE/NVD record on 2017-01-27. The supplied record was later modified on 2026-05-13, but that is not the vulnerability disclosure date.