PatchSiren cyber security CVE debrief

CVE-2017-3368 Oracle CVE debrief

CVE-2017-3368 is a high-severity Oracle iStore vulnerability in Oracle E-Business Suite’s Address Book subcomponent. Oracle’s description says it is easily exploitable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction from a person other than the attacker. The impact can include unauthorized access to critical data and unauthorized update, insert, or delete access to some Oracle iStore data.

Vendor: Oracle
Product: CVE-2017-3368
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Organizations running Oracle E-Business Suite with Oracle iStore enabled, especially the affected supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. Security teams, EBS administrators, and application owners responsible for internet-facing or user-accessible Oracle web applications should prioritize review.

Technical summary

The NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network reachability, low attack complexity, no privileges required, and a user-interaction requirement. The issue is mapped to Oracle iStore and its Address Book subcomponent. The reported consequence is confidential data exposure and limited integrity impact, with no direct availability impact listed. NVD identifies no specific CWE beyond NVD-CWE-noinfo.

Defensive priority

High. This is an unauthenticated, network-reachable issue with the potential for sensitive data compromise in a customer-facing Oracle application. The user-interaction requirement lowers, but does not remove, urgency because the affected component is exposed through HTTP and the impact includes critical data access.

Recommended defensive actions

Confirm whether any Oracle E-Business Suite deployments use Oracle iStore and verify whether versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 are in use.
Review Oracle's January 2017 CPU advisory for the applicable fix and ensure affected systems are patched.
Reduce exposure of Oracle iStore and related HTTP endpoints to only required networks and users.
Monitor authentication, access, and data-change activity in iStore and related E-Business Suite components for signs of unauthorized access, insertion, update, or deletion.
If exploitation is suspected, investigate potential downstream impact on additional products or data sources that integrate with Oracle iStore.

Evidence notes

All findings above are taken from the supplied NVD record and Oracle vendor reference. The record states the vulnerability is in Oracle iStore, subcomponent Address Book, affects the listed supported versions, is exploitable over HTTP by an unauthenticated attacker, requires human interaction, and can lead to unauthorized access and modification of iStore data. The source references include Oracle's January 2017 CPU advisory and secondary references (SecurityFocus BID 95605 and SecurityTracker 1037639). No KEV entry was supplied.

Official resources

CVE-2017-3368 CVE record
CVE.org
CVE-2017-3368 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

CVE published 2017-01-27. The supplied record was last modified 2026-05-13, but that is not the vulnerability issue date. No KEV date was supplied.