PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3358 Oracle CVE debrief

CVE-2017-3358 is a high-severity vulnerability in the Oracle Marketing component of Oracle E-Business Suite, specifically the User Interface subcomponent. Oracle and NVD describe it as easily exploitable over the network via HTTP by an unauthenticated attacker, with the important caveat that successful exploitation requires human interaction from someone other than the attacker. If successful, the impact can include unauthorized access to critical data or complete access to Oracle Marketing data, along with unauthorized update, insert, or delete actions against some of that data.

Vendor
Oracle
Product
CVE-2017-3358
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Organizations running Oracle E-Business Suite with Oracle Marketing installed, especially on affected supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6. Security teams should also pay attention if Oracle Marketing data is integrated with other business systems, since the CVE notes potential impact beyond the component itself.

Technical summary

The CVE record and NVD entry describe a network-reachable flaw in Oracle Marketing's UI path. The published CVSS v3.0 vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which aligns with unauthenticated remote access, low attack complexity, and a user-interaction requirement. NVD lists the affected CPEs as Oracle Marketing versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The NVD weakness field is NVD-CWE-noinfo, so the corpus does not provide a more specific CWE classification.

Defensive priority

High. The combination of unauthenticated network exposure, user interaction, and confidentiality/integrity impact makes this worth prompt review and remediation planning for any in-scope Oracle E-Business Suite deployment.

Recommended defensive actions

  • Confirm whether Oracle Marketing is deployed in any Oracle E-Business Suite instance matching the affected versions listed by NVD.
  • Review Oracle's January 2017 Critical Patch Update advisory referenced by NVD for vendor guidance and remediation options.
  • Limit exposure of Oracle E-Business Suite interfaces to trusted networks where possible, especially HTTP-accessible paths involved in Oracle Marketing.
  • Review access controls and monitor for suspicious user interaction flows involving Oracle Marketing UI activity.
  • Prioritize patching or mitigation for any environment handling sensitive customer, sales, or campaign data in Oracle Marketing.
  • Validate after remediation that the affected Oracle Marketing instances are no longer exposed to the vulnerable condition.

Evidence notes

All substantive claims here are taken from the supplied CVE description, the NVD modified record, and the referenced Oracle CPU advisory link. The CVE was published on 2017-01-27T22:59:05.587Z, and the NVD record was modified on 2026-05-13T00:24:29.033Z. The affected versions, HTTP/network access conditions, user interaction requirement, impact statements, CVSS score/vector, and vendor references are directly reflected in the supplied corpus.

Official resources

Public CVE record published on 2017-01-27T22:59:05.587Z. NVD record last modified on 2026-05-13T00:24:29.033Z. No KEV listing was provided in the supplied corpus.