CVE-2017-3277 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, Oracle Applications Manager owners, identity/access administrators, and vulnerability management teams responsible for high-privilege application access and HTTP exposure.

Technical summary

NVD classifies the weakness as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.0 vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating network reachability, low attack complexity, no user interaction, and a requirement for high privileges. The documented impact is confidentiality-only; integrity and availability are not affected in the CVSS vector.

Defensive priority

Medium priority. The vulnerability is exploitable only by a high-privileged attacker, but the potential impact includes unauthorized access to sensitive Oracle Applications Manager data.

Recommended defensive actions

• Apply the Oracle CPU/January 2017 update referenced in Oracle's advisory for the affected Oracle E-Business Suite / Applications Manager versions.
• Verify whether Oracle Applications Manager instances are on one of the affected versions: 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
• Restrict network access to Oracle Applications Manager to only trusted administrative sources.
• Review and minimize high-privilege access to the application, especially accounts that can reach OAM over HTTP.
• Monitor privileged access and administrative activity for unusual data access patterns in Oracle Applications Manager.

Evidence notes

Based on the NVD CVE record and its linked Oracle advisory reference. NVD lists affected CPEs for Oracle Applications Manager versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6, and the CVSS v3.0 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The record also cites CWE-200. Reference URLs supplied in the corpus include the official CVE record, NVD detail page, and Oracle's January 2017 Critical Patch Update advisory.

Official resources