PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3311 Oracle CVE debrief

CVE-2017-3311 is an Oracle Application Testing Suite vulnerability affecting the Test Manager for Web Apps subcomponent in Oracle Enterprise Manager Grid Control. According to the CVE/NVD record, it was publicly disclosed on 2017-01-27 and is rated medium severity (CVSS 5.3). The issue is network-reachable over HTTP, requires no authentication, and can lead to unauthorized update, insert, or delete access to some Application Testing Suite data.

Vendor
Oracle
Product
CVE-2017-3311
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for Oracle Enterprise Manager Grid Control deployments, especially systems running Application Testing Suite 12.4.0.2, 12.5.0.2, or 12.5.0.3. Teams that expose the affected web application to network access should treat this as a priority integrity-risk issue.

Technical summary

The NVD record identifies the vulnerability as affecting Oracle Application Testing Suite (Test Manager for Web Apps) with CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The documented impact is integrity-only: an unauthenticated remote attacker with HTTP access can cause unauthorized data modification (update/insert/delete) in some Application Testing Suite accessible data. NVD lists the affected CPEs as Oracle Application Testing Suite 12.4.0.2, 12.5.0.2, and 12.5.0.3.

Defensive priority

Medium. The attack surface is remotely reachable and requires no authentication, but the published CVSS impact is limited to integrity and the overall base score is 5.3. Prioritize exposure reduction and patch validation for any internet- or broadly network-accessible deployments.

Recommended defensive actions

  • Identify whether Oracle Application Testing Suite 12.4.0.2, 12.5.0.2, or 12.5.0.3 is deployed in your environment.
  • Review whether the affected Test Manager for Web Apps component is exposed over HTTP or reachable from untrusted networks.
  • Apply the Oracle vendor remediation referenced in the January 2017 CPU advisory when available for your environment.
  • Restrict network access to the affected application to trusted administrative networks until remediation is in place.
  • Monitor for unexpected data modification activity within Application Testing Suite data stores and related application logs.

Evidence notes

All factual claims are limited to the supplied CVE/NVD corpus. The CVE record states the vulnerability is in Oracle Enterprise Manager Grid Control's Application Testing Suite component, subcomponent Test Manager for Web Apps, and that supported affected versions are 12.5.0.3, 12.5.0.2, and 12.4.0.2. NVD provides the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N and lists the impact as unauthorized update, insert, or delete access to some accessible data. The record also links to Oracle's January 2017 CPU advisory as a vendor reference, but no additional advisory content was assumed.

Official resources

Publicly disclosed on 2017-01-27. Use the CVE publication date for timing context; the 2026 modified timestamp reflects record updates and should not be treated as the issue date.