PatchSiren cyber security CVE debrief
CVE-2017-3357 Oracle CVE debrief
CVE-2017-3357 is a high-severity Oracle Marketing issue in Oracle E-Business Suite. Oracle and NVD describe it as remotely reachable over HTTP, requiring human interaction from someone other than the attacker, and capable of exposing critical data or allowing unauthorized changes in Oracle Marketing data. The affected supported versions include 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
- Vendor
- Oracle
- Product
- CVE-2017-3357
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and operations staff responsible for Oracle Marketing deployments should treat this as important, especially if the UI is exposed to networks reachable by untrusted users.
Technical summary
NVD lists the weakness in Oracle Marketing's user interface component with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which indicates network attackability, no privileges required, and a user interaction requirement. The impact described by Oracle includes unauthorized access to critical data, full access to Oracle Marketing-accessible data, and unauthorized update, insert, or delete access to some Oracle Marketing data. NVD references the Oracle January 2017 CPU as the vendor advisory source.
Defensive priority
High. The combination of network exposure, no attacker privileges, and data-confidentiality and integrity impact makes this a priority for patching and exposure reduction, even though user interaction is required.
Recommended defensive actions
- Review Oracle's January 2017 CPU advisory and apply the relevant Oracle Marketing fixes for all affected supported releases.
- Verify whether Oracle Marketing is reachable from untrusted or broad network segments and restrict access where possible.
- Prioritize remediation for environments handling sensitive customer, campaign, or account data.
- If immediate patching is not possible, reduce exposure by limiting access to the application layer and monitoring for unusual user-interface activity.
- Validate that downstream Oracle E-Business Suite components and integrations are not relying on vulnerable Oracle Marketing functionality before and after remediation.
Evidence notes
This debrief is based only on the provided NVD/CVE record and its referenced Oracle advisory link. The CVE was published on 2017-01-27T22:59:05.553Z and later modified in NVD on 2026-05-13T00:24:29.033Z. NVD lists affected CPEs for Oracle Marketing versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6, and records the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The vendor advisory reference in the source points to Oracle's January 2017 CPU notice.
Official resources
-
CVE-2017-3357 CVE record
CVE.org
-
CVE-2017-3357 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed by NVD on 2017-01-27T22:59:05.553Z. Subsequent NVD metadata modification occurred on 2026-05-13T00:24:29.033Z.