PatchSiren cyber security CVE debrief

CVE-2017-3286 Oracle CVE debrief

CVE-2017-3286 is a medium-severity Oracle vulnerability in the Oracle Applications DBA component of Oracle E-Business Suite, specifically the Patching subcomponent. The issue was published on 2017-01-27 and affects supported versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. According to the NVD description, a high-privileged attacker with logon access to the infrastructure where Oracle Applications DBA executes could compromise the component, leading to unauthorized data access and/or data modification.

Vendor: Oracle
Product: CVE-2017-3286
CVSS: MEDIUM 6
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, DBAs, and infrastructure teams responsible for systems running Oracle Applications DBA should care most. Security teams should also review any environment where high-privilege local access is broadly available, because the attack requires local logon plus high privileges.

Technical summary

NVD classifies the issue as CVSS v3.0 6.0 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). That means exploitation is local, requires high privileges, and does not need user interaction. The stated impact is confidentiality and integrity compromise of Oracle Applications DBA accessible data, including unauthorized creation, deletion, modification, or access. The supplied record does not identify a specific CWE beyond NVD-CWE-noinfo.

Defensive priority

Medium. The vulnerability is not remotely exploitable according to the supplied CVSS vector, but it is still important in environments with privileged admin access or shared infrastructure because successful exploitation can expose or alter sensitive Oracle Applications DBA data.

Recommended defensive actions

Review Oracle's January 2017 CPU advisory for the vendor's patch guidance and affected product details.
Confirm whether Oracle E-Business Suite instances run one of the affected versions: 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
Prioritize patching in any environment where privileged local logon is possible on hosts running Oracle Applications DBA.
Audit and restrict who has high-privilege access to the infrastructure where Oracle Applications DBA executes.
Monitor Oracle security advisories and internal asset inventories for systems that still match the affected CPE criteria.
Validate remediation by checking installed Oracle patch levels after applying vendor guidance.

Evidence notes

This debrief is based on the supplied NVD record and the Oracle CPU January 2017 advisory reference listed in the source corpus. The NVD entry provides the CVSS vector, affected CPEs, and the impact description. The Oracle advisory is cited in the record as a vendor patch reference. No exploit code or offensive reproduction details are included. The supplied enrichment indicates the CVE is not a KEV item.

Official resources

CVE-2017-3286 CVE record
CVE.org
CVE-2017-3286 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

CVE-2017-3286 was published on 2017-01-27T22:59:03.787Z and later modified in NVD on 2026-05-13T00:24:29.033Z. Based on the supplied data, it affects Oracle Applications DBA in Oracle E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5