PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3349 Oracle CVE debrief

CVE-2017-3349 affects the Oracle Marketing component of Oracle E-Business Suite. Oracle describes it as an easily exploitable issue reachable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction from someone other than the attacker. The impact can include unauthorized access to critical data and unauthorized update, insert, or delete access to some Oracle Marketing data.

Vendor
Oracle
Product
CVE-2017-3349
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, Oracle Marketing owners, security teams monitoring externally reachable business applications, and incident responders supporting environments running the affected versions.

Technical summary

The NVD record lists CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a network-reachable issue with low attack complexity, no privileges required, and user interaction required. Affected Oracle Marketing versions listed in the record are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The record ties the issue to Oracle Marketing's user interface subcomponent and notes potential impact beyond the component itself.

Defensive priority

High. The issue is network reachable, requires no attacker privileges, and can expose sensitive data or allow integrity-impacting changes if successfully triggered.

Recommended defensive actions

  • Review Oracle's January 2017 security advisory and apply the vendor remediation for affected Oracle E-Business Suite / Oracle Marketing versions.
  • Inventory Oracle Marketing deployments and confirm whether any of the affected versions are in use: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
  • Restrict exposure of Oracle Marketing interfaces to trusted networks where possible, since the issue is reachable over HTTP.
  • Monitor authentication, session, and data-change activity around Oracle Marketing for unexpected access or edits.
  • If compromise is suspected, review affected data for unauthorized access, insert, update, or delete activity and preserve relevant logs for investigation.

Evidence notes

This debrief is based on the NVD modified CVE record and the referenced Oracle advisory and SecurityFocus entry. The record states the vulnerability is in Oracle Marketing's User Interface subcomponent, is easily exploitable over HTTP by an unauthenticated attacker, requires human interaction, and may affect additional products. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Vulnerable versions listed in the record are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Official resources

CVE published 2017-01-27 and later modified in the NVD record on 2026-05-13. This debrief reflects the published and modified record data supplied here, not a new issue date.