PatchSiren cyber security CVE debrief
CVE-2017-3424 Oracle CVE debrief
CVE-2017-3424 is a HIGH-severity Oracle vulnerability in the One-to-One Fulfillment component of Oracle E-Business Suite. NVD describes it as easily exploitable over HTTP by an unauthenticated attacker, but with a user-interaction requirement. Successful attacks can expose critical data and allow unauthorized changes to some One-to-One Fulfillment data.
- Vendor
- Oracle
- Product
- CVE-2017-3424
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and SOC teams responsible for internet-facing Oracle applications should prioritize this issue, especially where One-to-One Fulfillment is exposed to network users.
Technical summary
NVD lists affected One-to-One Fulfillment versions as 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network attackability, no privileges required, required user interaction, scope change, high confidentiality impact, low integrity impact, and no availability impact. NVD also marks the weakness as NVD-CWE-noinfo, so the underlying flaw class is not specified in the provided corpus.
Defensive priority
High
Recommended defensive actions
- Review Oracle's January 2017 CPU advisory referenced by NVD and apply the vendor remediation for affected One-to-One Fulfillment versions.
- Inventory Oracle E-Business Suite deployments to confirm whether any affected 12.x releases are in use.
- Reduce exposure of Oracle application endpoints to trusted networks only, especially where HTTP access is not required externally.
- Because user interaction is required, reinforce user-awareness and access controls for web workflows that can reach One-to-One Fulfillment.
- Monitor for unauthorized access to critical One-to-One Fulfillment data and for unexpected updates, inserts, or deletes affecting application records.
- Validate that logging and alerting are enabled for authentication, session, and data-change events in the affected application path.
Evidence notes
The CVE description and NVD data in the supplied corpus state that the vulnerability affects Oracle One-to-One Fulfillment in Oracle E-Business Suite, with supported affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. NVD assigns CVSS v3.0 8.2 and the vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. References in the corpus include Oracle's January 2017 security advisory and a SecurityFocus BID entry. The source corpus does not identify a specific CWE beyond NVD-CWE-noinfo.
Official resources
-
CVE-2017-3424 CVE record
CVE.org
-
CVE-2017-3424 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed on 2017-01-27 per the supplied CVE/NVD record. Oracle's January 2017 security advisory is cited in the NVD references.