PatchSiren cyber security CVE debrief
CVE-2017-3426 Oracle CVE debrief
CVE-2017-3426 is a high-severity Oracle One-to-One Fulfillment vulnerability in Oracle E-Business Suite. According to the CVE and NVD records, it is reachable over the network via HTTP, does not require attacker authentication, and can lead to unauthorized access to critical data and some data modification. Exploitation does require human interaction from someone other than the attacker, but the potential impact is still significant for affected deployments.
- Vendor
- Oracle
- Product
- CVE-2017-3426
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, vulnerability management owners, SOC analysts, and business owners responsible for Oracle One-to-One Fulfillment deployments.
Technical summary
The NVD entry classifies this issue with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (8.2). Affected product criteria list Oracle One-to-One Fulfillment versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVE description states that a remote unauthenticated attacker with network access via HTTP can compromise the component, with successful attacks potentially resulting in unauthorized access to critical data and unauthorized update, insert, or delete access to some accessible data. The record also notes possible impact to additional products.
Defensive priority
High for any internet-facing Oracle E-Business Suite environment; material even for internal deployments because the issue can expose critical data and allow some data modification.
Recommended defensive actions
- Confirm whether Oracle E-Business Suite includes One-to-One Fulfillment in the affected version set listed by NVD.
- Prioritize Oracle CPU remediation referenced in the NVD record for January 2017 and validate that the applicable fix is applied.
- Reduce exposure of the affected application path to only required users and networks, especially any HTTP-facing access.
- Review access controls and logs for One-to-One Fulfillment around the vulnerable period, focusing on unusual user-driven activity.
- If patching is delayed, place compensating controls around the affected application and document the exception until remediation is complete.
Evidence notes
The CVE description identifies Oracle One-to-One Fulfillment in Oracle E-Business Suite as the affected component and states the exposure path is via HTTP with required human interaction. The NVD record supplies the CVSS vector and score, the vulnerable CPE version set, and references the Oracle January 2017 CPU advisory as a vendor reference. The supplied data also shows NVD-CWE-noinfo, so the weakness class is not specifically identified in the record.
Official resources
-
CVE-2017-3426 CVE record
CVE.org
-
CVE-2017-3426 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Published 2017-01-27T22:59:07.803Z and last modified 2026-05-13T00:24:29.033Z in the supplied CVE record. No KEV designation is present in the supplied enrichment.