PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3428 Oracle CVE debrief

CVE-2017-3428 is a high-severity Oracle One-to-One Fulfillment vulnerability in Oracle E-Business Suite’s User Interface subcomponent. According to the NVD and Oracle’s referenced advisory, it is network reachable over HTTP, requires no attacker authentication, and can have significant confidentiality and integrity impact. The CVSS v3.0 vector indicates user interaction is required and the scope changes, which makes exposure especially important in environments where end users may be induced to interact with the vulnerable flow.

Vendor
Oracle
Product
CVE-2017-3428
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and IT owners responsible for One-to-One Fulfillment deployments on affected 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 versions should prioritize this. Security teams protecting internet-reachable Oracle application services should also care because the attack is network-based and does not require authentication.

Technical summary

NVD classifies CVE-2017-3428 with CVSS v3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The vulnerable component is Oracle One-to-One Fulfillment in Oracle E-Business Suite, specifically the User Interface subcomponent. Oracle’s published description states an unauthenticated network attacker can exploit the issue via HTTP, but success requires human interaction by someone other than the attacker. NVD lists vulnerable CPEs for Oracle One-to-One Fulfillment versions 12.1.1 through 12.2.6 as identified in the source corpus. The referenced Oracle CPU January 2017 advisory indicates a vendor patch/advisory exists.

Defensive priority

High. The issue is unauthenticated, network reachable, and may expose or alter sensitive business data. Because exploitation depends on user interaction, the immediate risk is lower than a fully automated remote flaw, but the confidentiality and integrity impact justify prompt patching and exposure review.

Recommended defensive actions

  • Confirm whether Oracle E-Business Suite One-to-One Fulfillment is deployed and whether the affected versions listed in the advisory are in use.
  • Review Oracle’s January 2017 CPU advisory referenced in the source corpus and apply the vendor patch or mitigation guidance it contains.
  • Prioritize remediation on any environment exposed to untrusted networks or broad internal user populations.
  • Reduce exposure to the application where possible, especially for HTTP-accessible entry points tied to the vulnerable UI workflow.
  • Monitor for unusual user-driven access patterns around the One-to-One Fulfillment interface and review related application logs after remediation.
  • Validate that compensating controls do not depend on user behavior alone, since the vulnerability requires human interaction to succeed.

Evidence notes

All claims are grounded in the supplied corpus. NVD’s record states the vulnerability is in Oracle One-to-One Fulfillment, lists affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6, and provides CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The Oracle CPU January 2017 advisory is present as a vendor/patch reference in the source set. The CVE published date used for timing context is 2017-01-27T22:59:07.867Z; the 2026 modified timestamp should not be treated as the issue date.

Official resources

Publicly disclosed in the CVE record on 2017-01-27. This debrief uses the CVE published date provided in the source corpus, not the later modified timestamp.