PatchSiren cyber security CVE debrief
CVE-2017-3334 Oracle CVE debrief
CVE-2017-3334 is a high-severity Oracle Marketing vulnerability in Oracle E-Business Suite that can be reached over HTTP by an unauthenticated network attacker, but successful exploitation requires user interaction. Oracle’s affected supported versions include 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The issue can lead to unauthorized access to critical data and unauthorized update, insert, or delete access to some Oracle Marketing data, with possible impact beyond the Marketing component.
- Vendor
- Oracle
- Product
- CVE-2017-3334
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and defenders responsible for Oracle Marketing deployments should prioritize this CVE, especially where the application is exposed to network users and business processes rely on Marketing data integrity and confidentiality.
Technical summary
NVD describes CVE-2017-3334 as a network-reachable Oracle Marketing issue in the User Interface subcomponent. The vulnerability is exploitable without authentication via HTTP, but requires human interaction. NVD assigns CVSS v3.0 8.2 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, reflecting high confidentiality impact and integrity impact with no availability impact. The NVD record also lists the weakness as NVD-CWE-noinfo, so the precise flaw class is not specified in the supplied corpus.
Defensive priority
High. The combination of unauthenticated network reachability, user interaction requirements, and potential access to critical Oracle Marketing data makes this a material risk for exposed E-Business Suite environments.
Recommended defensive actions
- Review Oracle’s January 2017 CPU advisory referenced by NVD for product-specific remediation guidance.
- Inventory all Oracle E-Business Suite deployments using Oracle Marketing and confirm whether any supported affected versions are present.
- Apply vendor patches or mitigations identified by Oracle for the affected releases as soon as possible.
- Reduce exposure of the affected application to untrusted networks and limit HTTP access to only necessary users and systems.
- Monitor for abnormal access, data changes, and user-interaction-dependent workflow activity in Oracle Marketing.
- Validate that compensating controls and segmentation are in place for any systems that cannot be patched immediately.
Evidence notes
All claims are taken from the supplied NVD CVE record and its referenced Oracle advisory. The corpus states that Oracle Marketing in E-Business Suite versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 are affected. It also states the issue is easily exploitable by an unauthenticated attacker with network access via HTTP, requires human interaction, and can cause unauthorized access to critical data plus unauthorized modification of some Oracle Marketing data. NVD provides CVSS v3.0 8.2 and vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. No KEV or ransomware association is present in the supplied data.
Official resources
-
CVE-2017-3334 CVE record
CVE.org
-
CVE-2017-3334 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
CVE published on 2017-01-27 and later modified in NVD on 2026-05-13. The supplied corpus references Oracle’s January 2017 CPU advisory as the vendor guidance source.