PatchSiren cyber security CVE debrief
CVE-2017-3422 Oracle CVE debrief
CVE-2017-3422 is a high-severity vulnerability in Oracle E-Business Suite’s One-to-One Fulfillment component (User Interface). Oracle’s published description says it is easily exploitable by an unauthenticated network attacker via HTTP, but successful attacks require human interaction. If abused, it can expose critical data and allow unauthorized changes to some accessible data.
- Vendor
- Oracle
- Product
- CVE-2017-3422
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and incident responders responsible for One-to-One Fulfillment deployments, especially where the UI is reachable over HTTP.
Technical summary
According to the CVE record and NVD, the affected Oracle One-to-One Fulfillment versions are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The issue is network-reachable, requires no authentication, and is triggered through HTTP, but it does require human interaction. NVD lists CVSS v3.0 8.2 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, reflecting strong confidentiality impact and some integrity impact.
Defensive priority
High. The combination of unauthenticated network access, HTTP reachability, and exposure of sensitive business data makes this a priority for Oracle E-Business Suite environments, even though user interaction is required.
Recommended defensive actions
- Review Oracle’s January 2017 Critical Patch Update advisory for the affected One-to-One Fulfillment versions and apply the vendor patch or remediation guidance.
- Confirm whether any Oracle E-Business Suite instances are running the affected versions listed in the CVE record.
- Reduce exposure of E-Business Suite HTTP interfaces where possible, especially from untrusted networks.
- Identify business workflows that rely on One-to-One Fulfillment and validate user-facing controls and monitoring for unexpected interaction.
- Monitor relevant application and access logs for unusual requests or data-access patterns involving One-to-One Fulfillment.
- Prioritize remediation for internet-facing or broadly reachable deployments.
Evidence notes
The CVE description states the vulnerability affects Oracle One-to-One Fulfillment in Oracle E-Business Suite and that an unauthenticated attacker with network access via HTTP can exploit it, while successful attacks require human interaction. NVD lists the affected versions and CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Oracle’s January 2017 CPU advisory is cited as the vendor patch reference in the source corpus.
Official resources
-
CVE-2017-3422 CVE record
CVE.org
-
CVE-2017-3422 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in Oracle’s January 2017 Critical Patch Update timeframe; the CVE was published on 2017-01-27.