PatchSiren cyber security CVE debrief

CVE-2017-3328 Oracle CVE debrief

CVE-2017-3328 is a high-severity Oracle E-Business Suite issue in the Common Applications component, specifically the Resources Module. Oracle and NVD describe it as network-reachable over HTTP, unauthenticated, and requiring human interaction. The reported impact includes unauthorized access to sensitive data and possible unauthorized modification of some accessible data. Affected versions listed by NVD include 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Vendor: Oracle
Product: CVE-2017-3328
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application owners, and security teams responsible for Common Applications/Resources Module deployments, especially where the service is reachable from untrusted networks.

Technical summary

NVD maps CVE-2017-3328 to Oracle Common Applications in Oracle E-Business Suite and records the CVSS v3.0 vector as AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. That means the issue can be reached remotely without authentication, but exploitation depends on user interaction. Oracle’s January 2017 Critical Patch Update is referenced as the vendor advisory/patch source. The affected CPEs in NVD are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Defensive priority

High. Prioritize prompt remediation for any exposed Oracle E-Business Suite instance because the vulnerability is remotely reachable, unauthenticated, and can affect confidentiality and integrity.

Recommended defensive actions

Review Oracle's January 2017 Critical Patch Update for the applicable fix and apply the vendor-recommended update to affected E-Business Suite systems.
Inventory E-Business Suite deployments and confirm whether any instance runs one of the affected versions listed by NVD.
Restrict network exposure of Oracle E-Business Suite services where possible, especially HTTP-accessible interfaces.
Monitor for suspicious user-interaction-driven activity against Oracle Common Applications and correlate with access logs.
Validate that downstream systems relying on Common Applications data are prepared for potential unauthorized data exposure or tampering risks.

Evidence notes

This debrief is based only on the supplied NVD record and Oracle reference links. Key evidence: NVD lists the affected Oracle Common Applications versions and the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The NVD record also references Oracle’s January 2017 CPU advisory as the vendor patch reference. No KEV entry was supplied, so this is not treated as a CISA KEV vulnerability here.

Official resources

CVE-2017-3328 CVE record
CVE.org
CVE-2017-3328 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed in the CVE record published on 2017-01-27. The NVD entry references Oracle's January 2017 Critical Patch Update as the vendor advisory/patch source. No CISA KEV listing was provided.