CVE-2017-3279 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, application owners, security teams, and incident responders responsible for Oracle Leads Management deployments, especially versions 12.1.1/12.1.2/12.1.3 exposed to user access over HTTP.

Technical summary

NVD lists CVE-2017-3279 as a vulnerability in the Oracle Leads Management user interface component. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network reachability, no privileges required, and a user-interaction dependency. The affected CPEs are Oracle Leads Management 12.1.1, 12.1.2, and 12.1.3. Reported impacts include unauthorized access to critical data or all Leads Management-accessible data, along with limited integrity impacts through unauthorized modification of some accessible data.

Defensive priority

High

Recommended defensive actions

• Apply Oracle's January 2017 CPU or the vendor fix referenced in the Oracle security advisory for this issue.
• Verify whether Oracle Leads Management 12.1.1, 12.1.2, or 12.1.3 is deployed anywhere in the environment, including legacy or indirectly exposed instances.
• Restrict network exposure to Oracle E-Business Suite interfaces and limit access to trusted users and networks where possible.
• Review authentication, session, and access-control configurations around Leads Management user interaction paths.
• Monitor for suspicious access patterns or unexpected data access and modification within Oracle Leads Management.
• Use the official Oracle advisory and NVD record to confirm remediation guidance and affected product scope.

Evidence notes

All facts in this debrief are derived from the supplied NVD record and its referenced Oracle advisory link. The CVE publication date used here is 2017-01-27T22:59:03.570Z, and the later NVD modification timestamp (2026-05-13T00:24:29.033Z) is not treated as the issue date. No exploit code, reproduction steps, or unsupported remediation details are included.

Official resources