PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3423 Oracle CVE debrief

CVE-2017-3423 is a high-severity Oracle One-to-One Fulfillment flaw in Oracle E-Business Suiteā€™s User Interface subcomponent. Oracle and NVD describe it as remotely reachable over HTTP, unauthenticated, and requiring human interaction, with potential impact to confidentiality and integrity of accessible data. Because it affects a business-critical ERP component and may have broader product impact, it should be treated as a priority patching issue for exposed Oracle E-Business Suite deployments.

Vendor
Oracle
Product
CVE-2017-3423
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, ERP owners, and defenders responsible for internet-facing Oracle application tiers or systems where users may interact with Oracle-hosted workflows.

Technical summary

NVD classifies the issue with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and a base score of 8.2. Affected versions listed in the corpus are Oracle One-to-One Fulfillment 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The published description states that an unauthenticated attacker with network access via HTTP can compromise the component, but successful attacks require interaction from a person other than the attacker. The NVD weakness field is generic (NVD-CWE-noinfo), so the corpus does not provide a more specific CWE classification.

Defensive priority

High. The issue is network-reachable, unauthenticated, and affects an enterprise application component with potential data confidentiality and integrity impact. Prioritize patching or mitigation on any affected Oracle E-Business Suite environment, especially if the application is exposed to users or the internet.

Recommended defensive actions

  • Apply Oracle's January 2017 CPU or the relevant vendor fix for affected One-to-One Fulfillment versions.
  • Inventory Oracle E-Business Suite instances and confirm whether any affected 12.1.x or 12.2.x One-to-One Fulfillment versions are in use.
  • Restrict network exposure to Oracle application services and minimize access to the User Interface component.
  • Review application access paths that rely on user interaction, since the vulnerability requires a non-attacker user to participate.
  • Monitor Oracle security advisories and NVD updates for any additional guidance or affected-component clarification.

Evidence notes

The corpus contains an Oracle CPU January 2017 advisory reference and the NVD record for CVE-2017-3423. The CVE was published on 2017-01-27T22:59:07.693Z; the 2026-05-13 modified timestamp reflects later record maintenance and should not be treated as the disclosure date. No exploit code, reproduction steps, or unsupported remediation claims are included here.

Official resources

Publicly disclosed and cataloged on 2017-01-27, with the NVD record and Oracle January 2017 CPU reference serving as the primary timeline anchors in the supplied corpus.