CVE-2017-3323 Oracle CVE debrief

Who should care

Administrators and security teams running Oracle MySQL Cluster deployments, especially internet- or broadly network-exposed instances, should review this issue and confirm they are not on affected releases.

Technical summary

NVD maps this vulnerability to CWE-20 and rates it CVSS 3.0 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). The affected Oracle MySQL Cluster versions listed in the record are 7.2.25 and earlier, 7.3.14 and earlier, and 7.4.12 and earlier. The impact is limited to availability and is described as a partial denial of service.

Defensive priority

Low. The issue is network-reachable and unauthenticated, but NVD characterizes exploitation as difficult and impact as limited to partial availability loss.

Recommended defensive actions

• Apply Oracle's January 2017 CPU guidance referenced in the NVD record and upgrade to a MySQL Cluster release newer than the affected version ranges (7.2.25, 7.3.14, and 7.4.12 cutoffs).
• Inventory MySQL Cluster deployments to confirm whether any affected versions are still in use.
• Restrict network exposure to MySQL Cluster services where possible and monitor for availability anomalies or repeated service disruptions.
• Track Oracle's vendor advisory and NVD record for any additional remediation notes or version guidance.

Evidence notes

This debrief is based on the official NVD record for CVE-2017-3323, which includes the CVSS 3.0 vector, CWE-20 mapping, affected version ranges, and Oracle vendor-advisory references. The NVD references point to Oracle's January 2017 CPU advisory as the mitigation/vendor reference. No KEV entry is present in the supplied corpus.

Official resources