PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3343 Oracle CVE debrief

CVE-2017-3343 is a high-severity vulnerability in the Oracle Marketing component of Oracle E-Business Suite, specifically the User Interface subcomponent. Oracle’s description indicates the issue is easily exploitable by an unauthenticated attacker with network access via HTTP, but successful exploitation requires human interaction from someone other than the attacker. The main risk is loss of confidentiality and integrity: Oracle states successful attacks can lead to unauthorized access to critical data or complete access to all Oracle Marketing-accessible data, plus unauthorized update, insert, or delete actions against some of that data. The affected supported versions listed in the source are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Vendor
Oracle
Product
CVE-2017-3343
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, Oracle Marketing owners, patch-management teams, and security teams responsible for internet-facing HTTP access to Oracle applications should prioritize this issue, especially where users can be induced to interact with malicious content.

Technical summary

The supplied NVD data identifies CVE-2017-3343 as affecting Oracle Marketing (Oracle E-Business Suite) with vulnerable CPEs covering versions 12.1.1 through 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which reflects network attackability, no privileges required, required user interaction, changed scope, high confidentiality impact, low integrity impact, and no availability impact. NVD lists the weakness as NVD-CWE-noinfo. Oracle’s January 2017 CPU advisory is cited as a vendor reference in the source corpus.

Defensive priority

High. Prioritize patch verification and exposure reduction for any Oracle E-Business Suite deployments using Oracle Marketing, especially if users can reach the service over HTTP or if the application is externally accessible. Because exploitation requires user interaction, user-facing controls and patch deployment both matter.

Recommended defensive actions

  • Confirm whether Oracle E-Business Suite Oracle Marketing is deployed in your environment and compare the installed version against the affected versions listed in the source.
  • Review the Oracle January 2017 CPU advisory referenced by NVD and apply the vendor fix or update path for the impacted release.
  • Restrict network exposure to Oracle application interfaces, especially HTTP access, to the minimum required set of users and systems.
  • Increase user-awareness and mail/web filtering controls where user interaction with Oracle-facing content could be influenced by an attacker.
  • Validate patch status and compensating controls across all environments, including test and standby systems that may be reachable from user workstations.

Evidence notes

This debrief is based only on the supplied CVE/NVD corpus and the official links included in the source item. Key facts come from the CVE description and NVD record: Oracle Marketing in Oracle E-Business Suite is affected; the attack is network-based via HTTP; it requires user interaction; affected versions are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6; and the CVSS v3.0 score is 8.2. The CVE published date used here is 2017-01-27T22:59:05.227Z. The NVD source item shows vulnStatus as Modified on 2026-05-13T00:24:29.033Z, which is a record update date, not the vulnerability’s original disclosure date.

Official resources

Public advisory available. The CVE was published on 2017-01-27, and the supplied NVD record shows a later modification on 2026-05-13. No KEV listing or ransomware-use indication is present in the supplied data.