CVE-2017-3283 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, Oracle Partner Management owners, application security teams, and patch management teams responsible for supported 12.1.1/12.1.2/12.1.3/12.2.3/12.2.4/12.2.5/12.2.6 deployments.

Technical summary

NVD lists the weakness as CWE-20 (Improper Input Validation) and scores it CVSS v3.0 4.7 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N. The affected CPEs cover Oracle Partner Management versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The issue is exploitable over the network and does not require privileges, but it does require user interaction.

Defensive priority

Medium. The issue is network-reachable and unauthenticated, but it requires user interaction and the published impact is limited to integrity effects in the supplied CVSS record.

Recommended defensive actions

• Review Oracle Critical Patch Update guidance for January 2017 and confirm the corresponding fix has been applied to every affected Oracle Partner Management instance.
• Inventory Oracle E-Business Suite deployments and verify whether any supported affected versions (12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6) are in use.
• Restrict exposure of Oracle Partner Management UI endpoints to trusted networks where possible.
• Validate that application and change-control monitoring can detect unauthorized updates, inserts, or deletions in Partner Management data.
• Use Oracle and NVD records as the authoritative references when confirming remediation status and version applicability.

Evidence notes

Source evidence comes from the supplied NVD record and its references. NVD describes the vulnerability as affecting Oracle Partner Management in Oracle E-Business Suite, with CVSS v3.0 4.7 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N) and CWE-20. The record lists the affected supported versions and points to Oracle’s January 2017 CPU advisory plus SecurityFocus BID 95587 and SecurityTracker 1037639 as references.

Official resources