PatchSiren cyber security CVE debrief
CVE-2017-3336 Oracle CVE debrief
CVE-2017-3336 affects Oracle Marketing in Oracle E-Business Suite and was published on 2017-01-27; NVD last modified the record on 2026-05-13. The issue is network-reachable over HTTP, does not require authentication, and needs human interaction from someone other than the attacker. Oracle’s advisory and NVD record indicate impacts to confidentiality and integrity, including unauthorized access to critical data and unauthorized update, insert, or delete access to some Oracle Marketing data.
- Vendor
- Oracle
- Product
- CVE-2017-3336
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, Oracle Marketing owners, application security teams, SOC analysts, and anyone responsible for internet-facing Oracle ERP/CRM environments should review this CVE.
Technical summary
NVD lists CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with affected Oracle Marketing versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The vulnerability is described as easily exploitable by an unauthenticated network attacker via HTTP, but successful exploitation requires human interaction. The documented consequence is unauthorized access to critical data or complete access to all Oracle Marketing accessible data, plus unauthorized modification of some accessible data.
Defensive priority
High. The combination of unauthenticated network reachability, required user interaction, and confidentiality/integrity impact makes this important to patch and to reduce exposure quickly, especially for externally reachable Oracle E-Business Suite deployments.
Recommended defensive actions
- Confirm whether Oracle Marketing is deployed in any Oracle E-Business Suite instance at versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
- Apply Oracle’s referenced January 2017 Critical Patch Update guidance for the affected product line as soon as practical.
- Reduce exposure of Oracle E-Business Suite interfaces to trusted networks only, and review whether HTTP access is exposed beyond required administrative paths.
- Review authentication and authorization controls around Oracle Marketing users and workflows that could be used to trigger the required human interaction.
- Check audit logs and access records for unusual access to Oracle Marketing data, especially unauthorized reads or data changes.
- Validate backups and recovery procedures for Oracle Marketing data in case integrity impact is suspected.
Evidence notes
This debrief is based on the supplied NVD record and the referenced Oracle CPU advisory. The NVD metadata identifies the affected CPE versions and the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The Oracle advisory reference supports the patch/vendor-remediation context. No exploit steps or unsupported implementation details are included.
Official resources
-
CVE-2017-3336 CVE record
CVE.org
-
CVE-2017-3336 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed vulnerability in Oracle Marketing for Oracle E-Business Suite. This summary is defensive only and avoids exploit guidance.