PatchSiren cyber security CVE debrief

CVE-2017-3282 Oracle CVE debrief

CVE-2017-3282 affects Oracle Partner Management in Oracle E-Business Suite. According to NVD and Oracle’s January 2017 CPU advisory reference, the issue is network-exploitable over HTTP, requires no attacker authentication, and does require human interaction. Successful exploitation can lead to unauthorized update, insert, or delete access to some Partner Management data, with integrity impact only in the published CVSS vector.

Vendor: Oracle
Product: CVE-2017-3282
CVSS: MEDIUM 4.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators and security teams responsible for Oracle Partner Management, especially environments running affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6. Teams should also care if Partner Management is integrated into broader business workflows, since the vendor description notes possible impact beyond the component itself.

Technical summary

NVD lists the weakness as CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N, indicating a low-complexity network attack that does not require credentials but does require user interaction. The affected product scope in the source data is Oracle Partner Management (Oracle E-Business Suite UI subcomponent) for the specified versions. The described effect is limited to integrity changes in accessible Partner Management data, though Oracle’s advisory language notes potential impact to additional products.

Defensive priority

Medium priority. The score is 4.7 (MEDIUM), but the issue is unauthenticated and network-reachable, so it should be reviewed alongside exposed Oracle E-Business Suite deployments that include Partner Management.

Recommended defensive actions

Confirm whether Oracle Partner Management is deployed in any Oracle E-Business Suite instance in scope.
Check installed versions against the affected releases listed by NVD: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
Review Oracle’s January 2017 Critical Patch Update advisory referenced by NVD for vendor remediation guidance.
Restrict network exposure to Oracle E-Business Suite administrative and user-facing interfaces where feasible.
Monitor for unusual UI-driven data changes in Partner Management workflows, especially unauthorized inserts, updates, or deletions.
Prioritize patch verification and configuration review in environments where users can be induced into interacting with attacker-controlled content or links.

Evidence notes

This debrief is based only on the supplied NVD record and the Oracle CPU January 2017 advisory reference cited in that record. Key source-backed facts include: affected Oracle Partner Management versions; unauthenticated network access via HTTP; required human interaction; integrity-only CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N; and the stated impact of unauthorized update/insert/delete access to some accessible data. The CVE publication date used for context is 2017-01-27T22:59:03.663Z.

Official resources

CVE-2017-3282 CVE record
CVE.org
CVE-2017-3282 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the NVD record on 2017-01-27, with Oracle’s January 2017 CPU advisory cited as the vendor reference in the supplied source data.