CVE-2017-3359 Oracle CVE debrief

Who should care

Administrators and security teams responsible for Oracle E-Business Suite, especially environments using the Customer Intelligence component on versions 12.1.1, 12.1.2, or 12.1.3.

Technical summary

NVD lists the vulnerability with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network attackability, no privileges required, and a user-interaction requirement. The affected CPEs are Oracle Customer Intelligence 12.1.1, 12.1.2, and 12.1.3. NVD also records impacts to confidentiality and integrity, and the source references Oracle's January 2017 CPU as the vendor advisory/patch reference.

Defensive priority

High for any environment running the affected Oracle Customer Intelligence versions, because the issue is network-reachable and can expose or alter sensitive application data.

Recommended defensive actions

• Verify whether Oracle E-Business Suite Customer Intelligence 12.1.1, 12.1.2, or 12.1.3 is deployed anywhere in your environment.
• Review Oracle's January 2017 Critical Patch Update referenced by NVD and apply the vendor remediation for affected systems.
• Restrict exposure of Oracle E-Business Suite interfaces to trusted networks where possible, especially HTTP-accessible paths.
• Confirm whether any users may have interacted with suspicious or unexpected application content around the time of exposure.
• Reassess data access controls and audit logs for unauthorized read or modification activity in Customer Intelligence data stores.

Evidence notes

This debrief is based on the NVD CVE record and its listed references. NVD records the affected CPEs as Oracle Customer Intelligence 12.1.1/12.1.2/12.1.3 and the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The NVD reference list includes Oracle's January 2017 CPU advisory as a patch/vendor advisory reference, along with SecurityFocus BID 95464 and SecurityTracker 1037639. No exploit details beyond the supplied vulnerability description are included.

Official resources