PatchSiren cyber security CVE debrief
CVE-2017-3354 Oracle CVE debrief
CVE-2017-3354 is a high-severity vulnerability in the Oracle Marketing component of Oracle E-Business Suite. Oracle and NVD describe it as easily exploitable by an unauthenticated attacker with network access via HTTP, but successful exploitation requires human interaction. If exploited, it can expose critical Oracle Marketing data and allow unauthorized changes to some Oracle Marketing data.
- Vendor
- Oracle
- Product
- CVE-2017-3354
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Administrators, application owners, and security teams responsible for Oracle E-Business Suite deployments that include Oracle Marketing, especially supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
Technical summary
The NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, reflecting a network-reachable issue with no privileges required, but with a user-interaction dependency. The affected component is Oracle Marketing, specifically the User Interface subcomponent. Oracle’s published description says successful attacks can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data, plus unauthorized update, insert, or delete access to some Oracle Marketing data. The vulnerability is listed for Oracle Marketing 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
Defensive priority
High. The issue is network-reachable, does not require privileges, and can affect confidentiality and integrity of Oracle Marketing data. The need for human interaction lowers exposure somewhat, but the potential impact on critical data makes timely remediation important.
Recommended defensive actions
- Apply Oracle’s January 2017 Critical Patch Update guidance for affected Oracle Marketing deployments.
- Inventory Oracle E-Business Suite instances to confirm whether any of the affected Oracle Marketing versions are in use: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
- Review which Oracle Marketing interfaces are reachable over HTTP and reduce exposure where possible.
- Alert users and administrators to the human-interaction requirement so suspicious prompts or workflows can be scrutinized.
- Monitor Oracle Marketing access and changes for signs of unauthorized data access or modification, especially in environments with broad user exposure.
Evidence notes
All core facts are drawn from the supplied NVD record and Oracle vendor advisory reference. The CVE was published on 2017-01-27. NVD lists the affected Oracle Marketing versions and the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Oracle’s description states exploitation is via HTTP, requires human interaction, and can lead to unauthorized access to critical data or full access to Oracle Marketing accessible data, plus unauthorized update/insert/delete access to some data. The official reference URL in the source corpus points to Oracle’s January 2017 Critical Patch Update advisory.
Official resources
-
CVE-2017-3354 CVE record
CVE.org
-
CVE-2017-3354 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in Oracle’s January 2017 Critical Patch Update advisory and published in the CVE record on 2017-01-27.