PatchSiren cyber security CVE debrief
CVE-2017-3284 Oracle CVE debrief
CVE-2017-3284 is a high-severity Oracle E-Business Suite issue in the Service Fulfillment Manager user interface. Oracle and NVD describe it as easily exploitable over HTTP by an unauthenticated attacker, with the additional requirement that a separate person perform some human interaction. The impact is primarily confidentiality and integrity exposure, including unauthorized access to sensitive data and possible data modification.
- Vendor
- Oracle
- Product
- CVE-2017-3284
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, security teams, and application owners running Service Fulfillment Manager on any affected 12.1.x or 12.2.x release should treat this as relevant. It is especially important for environments where the UI is reachable from untrusted networks or where the application handles sensitive business data.
Technical summary
NVD lists the vulnerability in Oracle Service Fulfillment Manager, a component of Oracle E-Business Suite, with vulnerable versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network-based exploitation, no privileges required, required user interaction, and high confidentiality impact with limited integrity impact. The issue is described as affecting the user interface and potentially impacting additional products.
Defensive priority
High. The combination of network exposure, no authentication requirement, and meaningful data exposure risk makes this a strong patch-and-contain priority for any supported Oracle E-Business Suite deployment that includes Service Fulfillment Manager.
Recommended defensive actions
- Apply Oracle's security update referenced in the January 2017 Critical Patch Update advisory for the affected Service Fulfillment Manager releases.
- Confirm whether any of the affected versions listed by NVD are deployed in your environment: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
- Restrict HTTP access to Oracle E-Business Suite and Service Fulfillment Manager to trusted users and networks until patching is complete.
- Review authentication and user-interaction paths around the Service Fulfillment Manager UI, since the CVSS vector includes required user interaction.
- Monitor for unusual access to sensitive Service Fulfillment Manager data and for unexpected update, insert, or delete activity.
- If patching must be delayed, apply compensating controls such as segmentation, access control review, and heightened logging around the affected interface.
Evidence notes
This debrief is based on the supplied CVE record and NVD metadata. The source describes an unauthenticated, network-accessible HTTP issue in Oracle Service Fulfillment Manager with user interaction required and impacts to confidentiality and integrity. NVD lists the affected versions and the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Oracle's January 2017 Critical Patch Update is the vendor advisory referenced in the source metadata.
Official resources
-
CVE-2017-3284 CVE record
CVE.org
-
CVE-2017-3284 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
- Source reference
The CVE was published on 2017-01-27, which is the appropriate public disclosure date to use here. The supplied 2026-05-13 timestamp is the record's modification time and should not be treated as the vulnerability's issue date.