PatchSiren cyber security CVE debrief

CVE-2017-3421 Oracle CVE debrief

CVE-2017-3421 is a high-severity Oracle One-to-One Fulfillment vulnerability in Oracle E-Business Suite. NVD describes it as an easily exploitable issue over HTTP that can be used by an unauthenticated network attacker, but successful attacks require human interaction. The reported impact includes unauthorized access to critical data and unauthorized modification of some accessible data.

Vendor: Oracle
Product: CVE-2017-3421
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and operations teams running Oracle One-to-One Fulfillment versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.

Technical summary

NVD lists the issue in the Oracle One-to-One Fulfillment component, subcomponent User Interface, with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. That means the issue is reachable over the network, needs no attacker privileges, and depends on user interaction. The scope change and confidentiality impact are the main drivers of the 8.2 score. NVD also records vulnerable CPEs for the affected Oracle One-to-One Fulfillment versions noted above.

Defensive priority

High for any environment running the affected Oracle One-to-One Fulfillment versions, especially if the application is reachable from untrusted networks or used by active business users.

Recommended defensive actions

Review Oracle's January 2017 Critical Patch Update guidance and apply the vendor patch or update for the affected Oracle E-Business Suite / One-to-One Fulfillment versions.
Inventory deployments to confirm whether versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 are present.
Restrict network exposure of Oracle E-Business Suite interfaces to trusted clients and administrative paths while remediation is underway.
Validate that application users are aware of suspicious or unexpected UI interactions, since the vulnerability requires human interaction to succeed.
Monitor Oracle advisory updates and internal logs for signs of abnormal access to One-to-One Fulfillment data or user interface activity.

Evidence notes

Oracle's vendor advisory is referenced by NVD, and NVD provides the official vulnerability metadata used here, including the affected CPEs and CVSS vector. The supplied description states that the flaw is easily exploitable via HTTP by an unauthenticated attacker, requires human interaction, and may lead to unauthorized access, update, insert, or delete actions against Oracle One-to-One Fulfillment accessible data. The supplied NVD data lists the affected supported versions as 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Official resources

CVE-2017-3421 CVE record
CVE.org
CVE-2017-3421 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]

The CVE was published in NVD on 2017-01-27 22:59:07.633Z. Oracle's January 2017 Critical Patch Update is the vendor advisory referenced in the supplied corpus. The NVD record was later modified on 2026-05-13 00:24:29.033Z, but that is not a