PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3370 Oracle CVE debrief

CVE-2017-3370 is a high-severity Oracle iSupport issue in Oracle E-Business Suite. Oracle and NVD list affected supported versions as 12.1.1, 12.1.2, and 12.1.3. The vulnerability is network-accessible over HTTP, does not require authentication, and can lead to unauthorized access to sensitive Oracle iSupport data and unauthorized modification of some accessible data. Successful exploitation requires human interaction from someone other than the attacker.

Vendor
Oracle
Product
CVE-2017-3370
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, Oracle iSupport owners, application security teams, and patch management teams should prioritize this issue, especially if iSupport is exposed to users or reachable over HTTP. Organizations that rely on Oracle iSupport for customer service workflows should also review downstream business processes that may be affected by unauthorized data access or changes.

Technical summary

NVD describes the flaw as CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a remotely reachable attack path with no privileges required but with user interaction needed. The affected component is Oracle iSupport, specifically the User Interface subcomponent. NVD does not assign a specific CWE beyond NVD-CWE-noinfo. Impact includes unauthorized access to critical or all Oracle iSupport-accessible data and unauthorized update, insert, or delete access to some Oracle iSupport-accessible data.

Defensive priority

High. Prioritize remediation for any affected Oracle E-Business Suite 12.1.1/12.1.2/12.1.3 deployment that exposes iSupport to users or broader network access. Because the issue is unauthenticated, network-based, and can affect confidentiality and integrity, it should be handled as a significant application security exposure.

Recommended defensive actions

  • Inventory Oracle E-Business Suite instances and confirm whether Oracle iSupport versions 12.1.1, 12.1.2, or 12.1.3 are in use.
  • Review Oracle's January 2017 Critical Patch Update advisory referenced by NVD and apply the vendor-documented remediation for affected systems.
  • Reduce or restrict HTTP exposure to Oracle iSupport where possible, especially for internet-facing deployments.
  • Review access to sensitive iSupport data and investigate for unauthorized reads or changes if the component was exposed.
  • Validate whether any dependent Oracle E-Business Suite workflows or integrations could be impacted by iSupport compromise.
  • Monitor for abnormal user-driven sessions or unexpected data modifications in iSupport-related logs after remediation.

Evidence notes

CVE published on 2017-01-27. NVD's modified record lists Oracle iSupport 12.1.1, 12.1.2, and 12.1.3 as vulnerable and provides CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The record also cites Oracle's January 2017 CPU advisory and a SecurityFocus BID 95526 entry as references.

Official resources

Publicly disclosed in the CVE/NVD record on 2017-01-27. This debrief uses the CVE publication date for timing context and relies on the official CVE and NVD records plus the referenced vendor advisory links.