PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3371 Oracle CVE debrief

CVE-2017-3371 affects Oracle iSupport in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3. According to the supplied NVD record, the issue is exploitable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction. The expected impact is serious: unauthorized access to critical data, full access to iSupport-accessible data, and unauthorized update/insert/delete operations on some of that data.

Vendor
Oracle
Product
CVE-2017-3371
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for Oracle E-Business Suite, especially environments exposing Oracle iSupport to network users or external traffic. Data owners should also care because the reported impact includes both disclosure and modification of iSupport data.

Technical summary

The supplied NVD data identifies a vulnerability in the Oracle iSupport component of Oracle E-Business Suite, specifically the User Interface subcomponent. Affected versions are 12.1.1, 12.1.2, and 12.1.3. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network exploitation, low attack complexity, no privileges required, and required user interaction. NVD classifies the weakness as NVD-CWE-noinfo in the supplied record.

Defensive priority

High. The combination of unauthenticated network reachability, required user interaction, and high confidentiality impact makes this a priority remediation item for exposed Oracle E-Business Suite environments.

Recommended defensive actions

  • Confirm whether Oracle E-Business Suite 12.1.1, 12.1.2, or 12.1.3 is in use, and whether Oracle iSupport is enabled.
  • Review Oracle's January 2017 CPU advisory referenced in the NVD record for vendor guidance and remediation steps.
  • Restrict network access to Oracle iSupport and any exposed Oracle E-Business Suite web entry points until remediation is complete.
  • Reduce user exposure to suspicious or untrusted links and requests that could trigger the required human interaction.
  • Validate after remediation that the affected Oracle iSupport instance is patched or otherwise no longer matches the vulnerable product/version criteria.

Evidence notes

The supplied CVE record states the issue was published on 2017-01-27 and later modified on 2026-05-13. NVD metadata lists affected CPEs for Oracle iSupport 12.1.1, 12.1.2, and 12.1.3, and gives CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with score 8.2. The NVD references include Oracle's CPU January 2017 advisory as a vendor reference.

Official resources

Publicly disclosed in the supplied CVE record on 2017-01-27. The supplied record shows a later metadata update on 2026-05-13; that is not the original issue date.