CVE-2017-3430 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, security teams, and application owners running One-to-One Fulfillment on affected supported releases: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Technical summary

The NVD record maps CVE-2017-3430 to Oracle One-to-One Fulfillment with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, reflecting remote network attackability, no privileges required, and a user-interaction requirement. The affected CPEs listed by NVD are specific Oracle One-to-One Fulfillment versions 12.1.1 through 12.2.6. The issue is associated with confidentiality and integrity impact, not availability impact, and NVD lists CWE as NVD-CWE-noinfo.

Defensive priority

High

Recommended defensive actions

• Verify whether any Oracle E-Business Suite deployments run One-to-One Fulfillment versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
• Review Oracle’s January 2017 security advisory for vendor guidance and patch information.
• Limit exposure of the affected application where possible, especially HTTP access paths to the user interface.
• Monitor for unauthorized data access or unexpected data modification activity in the affected component.
• Prioritize remediation in environments where the application handles sensitive or business-critical data.

Evidence notes

Facts above are drawn from the CVE record, NVD detail, and Oracle advisory reference included in the source corpus. NVD lists the affected Oracle One-to-One Fulfillment versions and the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Oracle’s advisory reference is CPU Jan 2017, and the NVD record includes references to the Oracle advisory and SecurityFocus BID 95569. No exploit code or unsupported claims are included.

Official resources