CVE-2017-3324 Oracle CVE debrief

Who should care

Oracle Primavera P6 EPPM administrators, application owners, security teams, and infrastructure teams responsible for Web Access deployments—especially any instances reachable from untrusted networks.

Technical summary

NVD rates the issue CVSS v3.0 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L). The record describes an unauthenticated network attack via HTTP against Primavera P6 EPPM Web Access and lists affected releases 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, and 16.2. NVD classifies the weakness as NVD-CWE-noinfo, so the source corpus does not identify the underlying flaw type.

Defensive priority

Immediate

Recommended defensive actions

• Apply Oracle's January 2017 CPU/security update referenced in the vendor advisory to all affected Primavera P6 EPPM deployments.
• Inventory Primavera P6 Enterprise Project Portfolio Management Web Access instances and confirm whether versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, or 16.2 are present.
• Restrict HTTP exposure to trusted administrative networks until remediation is confirmed.
• Monitor for unauthorized data creation, deletion, modification, and unusual access to Primavera P6 EPPM data.
• Check patch status across all environments and upgrade or retire instances where a supported fix cannot be verified.

Evidence notes

This debrief is based only on the supplied NVD record and the Oracle/SecurityFocus references attached to it. The source corpus confirms the affected versions, the unauthenticated HTTP attack path, and the severe CIA impact. NVD labels the weakness as NVD-CWE-noinfo, so the specific root cause is not disclosed in the provided sources. The CVE was published on 2017-01-27 and the NVD record was later modified on 2026-05-13.

Official resources