PatchSiren cyber security CVE debrief

CVE-2017-3425 Oracle CVE debrief

CVE-2017-3425 is a HIGH-severity Oracle vulnerability in the One-to-One Fulfillment component of Oracle E-Business Suite, specifically the User Interface subcomponent. NVD rates it 8.2 (CVSS v3.0) and describes it as network-reachable over HTTP, unauthenticated, but requiring human interaction. Successful attacks can expose critical data and allow unauthorized modification of some accessible data.

Vendor: Oracle
Product: CVE-2017-3425
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, SOC analysts, and owners of any environment running One-to-One Fulfillment versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 should prioritize this issue.

Technical summary

NVD lists CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating low-complexity network exploitation without privileges, but with required user interaction and scope change. The affected Oracle One-to-One Fulfillment versions are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The vendor and NVD references point to Oracle's January 2017 Critical Patch Update advisory.

Defensive priority

High. The combination of unauthenticated network reachability, user interaction requirement, and high confidentiality impact makes this a strong patch-and-exposure-reduction priority for any exposed Oracle E-Business Suite deployment.

Recommended defensive actions

Apply Oracle's January 2017 security update for affected Oracle E-Business Suite / One-to-One Fulfillment versions as directed by the vendor advisory.
Inventory E-Business Suite instances and confirm whether any of the affected versions are deployed.
Restrict HTTP access to the Oracle One-to-One Fulfillment UI to trusted networks and administrative pathways only.
Review external exposure of the affected UI and remove unnecessary internet-facing access.
Monitor for unusual user interaction patterns, authentication anomalies, and unexpected data changes in affected Oracle E-Business Suite environments.
If patching is delayed, apply compensating controls such as segmentation and tighter access controls around the vulnerable service.

Evidence notes

Source timing is anchored to the CVE publish date of 2017-01-27T22:59:07.773Z, with the NVD record last modified on 2026-05-13T00:24:29.033Z. NVD provides the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and lists the affected Oracle One-to-One Fulfillment versions. Oracle's January 2017 CPU advisory is referenced by NVD as the vendor patch/advisory source. NVD also marks the weakness as NVD-CWE-noinfo, so the record does not supply a specific CWE.

Official resources

CVE-2017-3425 CVE record
CVE.org
CVE-2017-3425 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]

CVE published by NVD on 2017-01-27. NVD record last modified on 2026-05-13.