PatchSiren cyber security CVE debrief
CVE-2017-3285 Oracle CVE debrief
CVE-2017-3285 is a high-severity Oracle Service Fulfillment Manager issue in Oracle E-Business Suite, published on 2017-01-27. Oracle’s advisory and the NVD record indicate that supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 are affected. The vulnerability is reachable over HTTP and can be triggered by an unauthenticated attacker, but successful attacks require human interaction from a person other than the attacker. Impact is primarily confidentiality and integrity exposure, including unauthorized access to critical data or broad access to Service Fulfillment Manager data, plus unauthorized update, insert, or delete actions on some data.
- Vendor
- Oracle
- Product
- CVE-2017-3285
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and incident responders responsible for Service Fulfillment Manager deployments in the affected version range should treat this as a priority exposure. Organizations that expose the component to untrusted networks or rely on it for sensitive business data should review it first.
Technical summary
NVD lists CVSS v3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, reflecting a network-reachable issue with no privileges required but a user-interaction dependency. The vulnerable component is Oracle Service Fulfillment Manager UI in Oracle E-Business Suite. NVD does not assign a specific CWE beyond NVD-CWE-noinfo, so the public record should be treated as a limited-disclosure vulnerability description rather than a named flaw class.
Defensive priority
High. The combination of unauthenticated network access, user interaction, and high confidentiality impact makes this important to patch promptly in affected Oracle E-Business Suite environments.
Recommended defensive actions
- Verify whether Oracle Service Fulfillment Manager is deployed and whether any instance is running a supported affected version listed by NVD (12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6).
- Review Oracle’s January 2017 CPU advisory and apply the vendor fix or cumulative update path that covers this issue.
- Limit network exposure to the component, especially HTTP access from untrusted networks, until remediation is completed.
- Review user-facing workflows around the component because exploitation requires human interaction; tighten awareness and change-control around unexpected prompts or requests.
- Check for anomalous access to Service Fulfillment Manager data and unexpected modification activity on related records.
- Use the NVD and Oracle advisory references to validate remediation status and to confirm that all affected instances are covered.
Evidence notes
This debrief is based only on the supplied NVD record and the referenced Oracle/third-party advisory links. The published date used for timing context is 2017-01-27 from the CVE record; the later modified timestamp is not treated as the issue date. No exploit details, reproduction steps, or unsupported root-cause claims are included.
Official resources
-
CVE-2017-3285 CVE record
CVE.org
-
CVE-2017-3285 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
- Source reference
Publicly disclosed in the CVE record on 2017-01-27. NVD shows the record as modified on 2026-05-13, but that is a later metadata update and not the vulnerability date.