CVE-2017-3361 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, application owners, and security teams responsible for Oracle Installed Base instances running versions 12.1.1, 12.1.2, or 12.1.3.

Technical summary

NVD lists this issue with CVSS v3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). The vulnerable scope is Oracle Installed Base UI, with affected CPEs for versions 12.1.1, 12.1.2, and 12.1.3. Oracle’s January 2017 Critical Patch Update is referenced as the vendor advisory/patch source.

Defensive priority

High

Recommended defensive actions

• Apply Oracle’s January 2017 Critical Patch Update referenced in the vendor advisory for affected Oracle E-Business Suite / Installed Base versions.
• Confirm whether any Oracle Installed Base deployments are running versions 12.1.1, 12.1.2, or 12.1.3 and prioritize them for remediation.
• Limit exposure of the application to only required network paths, especially HTTP access, until remediation is complete.
• Review user workflows and access controls around Installed Base because exploitation requires human interaction from a separate person.
• Monitor Oracle application access and administrative activity for unexpected changes to Installed Base data.

Evidence notes

The supplied NVD record marks the vulnerability as modified on 2026-05-13 and published on 2017-01-27; the CVE issue date should be taken from the publishedAt field, not the later modification date. NVD cites CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and identifies affected Oracle Installed Base versions 12.1.1, 12.1.2, and 12.1.3. Oracle’s January 2017 CPU is included in the references as the vendor patch/advisory source.

Official resources