PatchSiren cyber security CVE debrief
CVE-2017-3344 Oracle CVE debrief
CVE-2017-3344 affects the Oracle Marketing component of Oracle E-Business Suite, specifically the User Interface subcomponent. Oracle and NVD describe it as an easily exploitable vulnerability over HTTP that does not require authentication but does require human interaction from someone other than the attacker. Successful exploitation can lead to unauthorized access to critical data, complete access to Oracle Marketing-accessible data, and unauthorized update, insert, or delete actions against some of that data.
- Vendor
- Oracle
- Product
- CVE-2017-3344
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Organizations running Oracle E-Business Suite instances with Oracle Marketing enabled, especially supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. Security, application, and database administrators should care most if the application is reachable by network users or used in workflows that involve user interaction.
Technical summary
The NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which aligns with a network-facing issue that is easy to reach but depends on user interaction. The source corpus identifies affected Oracle Marketing versions through explicit CPEs and does not name a specific CWE, listing NVD-CWE-noinfo. The reported impact centers on confidentiality and integrity, not availability.
Defensive priority
High. This is a network-reachable Oracle E-Business Suite issue with unauthenticated attack potential and high data-impact consequences. Prioritize it for any exposed or broadly accessible Oracle Marketing deployment, and treat user-interaction-dependent exploitation as a meaningful residual risk rather than a reason to defer remediation.
Recommended defensive actions
- Verify whether any Oracle E-Business Suite environments run the affected Oracle Marketing versions listed in the advisory and NVD CPEs.
- Confirm that Oracle's January 2017 Critical Patch Update referenced in the official Oracle advisory has been applied to all affected systems.
- Reduce exposure of Oracle E-Business Suite interfaces to only required network paths and users, especially where HTTP access is unnecessary.
- Review business processes that rely on user interaction in Oracle Marketing, because exploitation requires another person to interact.
- Check for unauthorized changes or unusual access to Oracle Marketing data, including unexpected inserts, updates, deletes, or bulk data access.
- Assess whether adjacent Oracle products or integrations could be affected downstream, since the source description notes possible impact to additional products.
- Use the Oracle advisory and NVD record to validate remediation scope and confirm that all supported affected releases are covered.
Evidence notes
This debrief is based only on the supplied CVE/NVD corpus and official links. Key source facts include: affected Oracle Marketing versions 12.1.1 through 12.2.6; network access via HTTP; no authentication required; human interaction required; and confidentiality/integrity impact with CVSS v3.0 8.2. The NVD record lists no specific CWE (NVD-CWE-noinfo).
Official resources
-
CVE-2017-3344 CVE record
CVE.org
-
CVE-2017-3344 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in Oracle's January 2017 Critical Patch Update and recorded by CVE on 2017-01-27.