CVE-2017-3315 Oracle CVE debrief

Who should care

Organizations running Oracle PeopleSoft Enterprise HCM ePerformance 9.2 should care most, especially administrators, security teams, and data owners responsible for HR or employee performance records exposed through the application.

Technical summary

The NVD record identifies a vulnerable Oracle PeopleSoft Enterprise HCM ePerformance 9.2 CPE and describes an easily exploitable network-facing issue reachable via HTTP by a low-privileged attacker. The impact is limited to unauthorized read access to some ePerformance data; NVD classifies the weakness as CWE-200 and the CVSS vector as AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

Defensive priority

Moderate. The vulnerability is network-reachable and low-privilege, but the documented impact is limited to confidentiality with no integrity or availability effect.

Recommended defensive actions

• Review Oracle's January 2017 CPU advisory for PeopleSoft-related fixes and confirm the applicable update path for ePerformance 9.2.
• Restrict network exposure to PeopleSoft administrative and application interfaces where possible, including HTTP access paths.
• Limit privileges to the minimum required for PeopleSoft users and service accounts.
• Audit access controls and application authorization rules for ePerformance data visibility.
• Monitor for unexpected read access patterns or anomalous application access from low-privileged accounts.

Evidence notes

The CVE description states that a low-privileged attacker with network access via HTTP can read a subset of accessible PeopleSoft Enterprise HCM ePerformance data. NVD lists the affected CPE as Oracle PeopleSoft Enterprise HCM ePerformance 9.2 and classifies the weakness as CWE-200 with CVSS 3.0 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The NVD references include Oracle's January 2017 Critical Patch Update advisory, plus third-party advisory and tracker entries.

Official resources