PatchSiren cyber security CVE debrief
CVE-2017-3339 Oracle CVE debrief
CVE-2017-3339 affects the Oracle Marketing component of Oracle E-Business Suite, specifically the User Interface subcomponent. According to the NVD record, an unauthenticated attacker with network access via HTTP can exploit the issue, but success requires human interaction by a person other than the attacker. Oracle’s advisory and the NVD entry identify affected supported versions including 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The stated impact includes unauthorized access to critical data and unauthorized update, insert, or delete access to some Oracle Marketing data; Oracle notes the vulnerability may significantly affect additional products.
- Vendor
- Oracle
- Product
- CVE-2017-3339
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and IT owners of Oracle Marketing deployments on the affected versions. Any environment exposing the Oracle Marketing UI over HTTP should treat this as a high-priority patching and exposure-reduction item.
Technical summary
NVD classifies the issue with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which means the attack is network-based, low complexity, requires no privileges, and depends on user interaction. The vulnerable component is Oracle Marketing UI in Oracle E-Business Suite. The published CPE criteria list Oracle Marketing versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 as affected. NVD’s weakness classification is generic (NVD-CWE-noinfo), so the exact CWE is not specified in the supplied corpus.
Defensive priority
High. The combination of remote network reachability, no authentication, user interaction requirement, and potential impact to confidential and integrity-sensitive data makes this a strong patch-priority vulnerability for exposed Oracle E-Business Suite Marketing instances.
Recommended defensive actions
- Apply Oracle’s January 2017 Critical Patch Update referenced in the vendor advisory for affected Oracle Marketing deployments.
- Inventory Oracle E-Business Suite instances to confirm whether any of the affected Oracle Marketing versions are in use.
- Reduce exposure of the Oracle Marketing UI, especially over HTTP, by limiting network reachability to trusted users and segments.
- Review access controls and monitor for unusual Oracle Marketing web activity or unexpected data changes.
- Validate that vendor guidance has been applied across all related environments, including test and disaster recovery systems.
Evidence notes
All core claims are drawn from the supplied NVD record and the linked Oracle CPU advisory reference. The published CVE date is 2017-01-27, and the supplied modified date is 2026-05-13; the debrief uses the published date for issue timing. NVD lists the vulnerable Oracle Marketing versions and the CVSS vector, and the record references Oracle’s CPU January 2017 advisory.
Official resources
-
CVE-2017-3339 CVE record
CVE.org
-
CVE-2017-3339 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
CVE published on 2017-01-27. The supplied NVD source record was modified on 2026-05-13.