PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3365 Oracle CVE debrief

CVE-2017-3365 is a high-severity Oracle Knowledge Management vulnerability in Oracle E-Business Suite’s User Interface component. NVD lists affected supported versions as 12.1.1, 12.1.2, and 12.1.3. The issue is network-reachable over HTTP and does not require authentication, but successful exploitation does require human interaction from someone other than the attacker. Oracle and NVD describe potential impact as unauthorized access to critical data, full access to accessible Oracle Knowledge Management data, and unauthorized update, insert, or delete access to some accessible data.

Vendor
Oracle
Product
CVE-2017-3365
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Organizations running Oracle E-Business Suite instances that include Oracle Knowledge Management, especially environments exposing the UI over the network. Security teams, application owners, and administrators responsible for patching Oracle CPU updates should prioritize this issue.

Technical summary

NVD assigns CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, reflecting a remotely reachable flaw with low attack complexity, no privileges required, but user interaction needed. The affected CPEs listed by NVD are Oracle Knowledge Management 12.1.1, 12.1.2, and 12.1.3. The reported impact is primarily confidentiality and integrity compromise; availability is not scored in the vector. NVD references Oracle’s January 2017 CPU advisory as the vendor patch reference.

Defensive priority

High. This is externally reachable, unauthenticated, and can expose or alter sensitive application data, but it depends on user interaction. Prioritize patching and exposure reduction in any internet-connected or broadly accessible E-Business Suite deployment.

Recommended defensive actions

  • Verify whether Oracle Knowledge Management versions 12.1.1, 12.1.2, or 12.1.3 are deployed in your E-Business Suite estate.
  • Apply the Oracle January 2017 CPU referenced by NVD for this issue, or the latest cumulative Oracle security update that addresses it.
  • Restrict network access to Oracle E-Business Suite and its UI components to trusted administrative and business networks.
  • Review any workflows or pages that may enable the required user interaction and tighten user awareness controls for suspicious links or prompts.
  • Check Oracle support and asset inventories for related E-Business Suite components that may share exposure through the same deployment.
  • Monitor for unusual access to Oracle Knowledge Management data and unexpected content changes in affected environments.

Evidence notes

Source corpus indicates CVE published 2017-01-27T22:59:05.820Z and modified 2026-05-13T00:24:29.033Z. NVD lists affected versions 12.1.1, 12.1.2, and 12.1.3 for Oracle Knowledge Management. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with base score 8.2. The references in the supplied corpus include Oracle CPU Jan 2017 and a SecurityFocus BID entry, but only the Oracle advisory is labeled as a vendor patch reference.

Official resources

Publicly disclosed in the CVE record on 2017-01-27. The supplied corpus does not indicate KEV inclusion or ransomware campaign use.