PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3417 Oracle CVE debrief

CVE-2017-3417 is a high-severity Oracle Universal Work Queue vulnerability affecting supported Oracle E-Business Suite releases 12.1.1 through 12.2.6. The published description says an unauthenticated attacker with network access via HTTP can compromise the component, but successful exploitation requires human interaction from someone other than the attacker. The reported impact includes unauthorized access to critical data and possible unauthorized modification of some accessible data. Oracle’s January 2017 Critical Patch Update advisory is listed as the vendor reference.

Vendor
Oracle
Product
CVE-2017-3417
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and operations teams responsible for Universal Work Queue or adjacent web-accessible EBS components should prioritize this issue. It is especially relevant where affected EBS versions are exposed to network users or where workflow/business operations depend on Universal Work Queue.

Technical summary

NVD records this issue as CVSS 3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). The vulnerability is in the Oracle Universal Work Queue user interface component and is reachable over HTTP. Although no privileges are required, exploitation depends on user interaction. NVD maps affected CPEs to Oracle Universal Work Queue versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The NVD weakness field is recorded as NVD-CWE-noinfo, so the public record does not provide a more specific CWE classification.

Defensive priority

High. The issue is network-reachable, unauthenticated, and rated high severity, but exploitation is not fully autonomous because it requires user interaction. That combination makes it important for internet-facing or broadly accessible Oracle E-Business Suite deployments.

Recommended defensive actions

  • Confirm whether any affected Oracle Universal Work Queue / Oracle E-Business Suite versions are in use, especially versions 12.1.1-12.1.3 and 12.2.3-12.2.6.
  • Review and apply Oracle’s January 2017 Critical Patch Update guidance referenced in the vendor advisory URL.
  • Limit exposure of Oracle E-Business Suite web interfaces to trusted networks where possible.
  • Monitor for unusual HTTP access or unexpected user interaction patterns against Universal Work Queue.
  • Validate that compensating controls, such as authentication boundaries and access restrictions, are in place for affected endpoints.
  • Track Oracle security advisories and NVD updates for any additional remediation notes or clarification.

Evidence notes

All core facts in this debrief come from the supplied CVE record and NVD metadata: published date 2017-01-27T22:59:07.490Z, affected versions listed in the CPE criteria, and CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The record also includes Oracle’s CPU January 2017 advisory and a SecurityFocus reference. No exploit details, proof-of-concept steps, or unverified product claims are included.

Official resources

Publicly disclosed on 2017-01-27T22:59:07.490Z. The 2026-05-13 modified timestamp reflects later metadata update activity in the source record and should not be treated as the original disclosure date.