PatchSiren cyber security CVE debrief
CVE-2017-3435 Oracle CVE debrief
CVE-2017-3435 is a high-severity Oracle E-Business Suite issue in the One-to-One Fulfillment user interface. NVD describes it as easily exploitable over HTTP by an unauthenticated network attacker, but requiring human interaction from someone other than the attacker. Oracle and NVD list affected supported versions from 12.1.1 through 12.2.6. The published impact centers on confidentiality and integrity, with Oracle noting that successful attacks may also affect additional products.
- Vendor
- Oracle
- Product
- CVE-2017-3435
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, SOC/IR teams, and business owners running the One-to-One Fulfillment component should prioritize this issue, especially where the UI is reachable from untrusted networks or broadly accessible internally.
Technical summary
The NVD record for CVE-2017-3435 lists a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network reachability, no privileges required, and a user-interaction condition. The vulnerable component is Oracle One-to-One Fulfillment (subcomponent: User Interface) in supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The record also links to Oracle's January 2017 critical patch update advisory and a SecurityFocus BID entry.
Defensive priority
High. The attack surface is network-based and unauthenticated, and the potential impact includes unauthorized access to critical data plus unauthorized data modification. The user-interaction requirement lowers exploitability somewhat, but not enough to reduce priority for exposed or widely used E-Business Suite deployments.
Recommended defensive actions
- Identify whether Oracle E-Business Suite One-to-One Fulfillment is deployed and map all instances to the affected versions listed by NVD.
- Review Oracle's January 2017 critical patch update advisory referenced in the NVD record and apply the relevant Oracle security updates or later cumulative remediation as applicable.
- Restrict network exposure to the Oracle E-Business Suite UI to the minimum necessary users and networks.
- Monitor authentication, session, and application logs for unusual activity around the One-to-One Fulfillment UI.
- Validate that adjacent Oracle E-Business Suite components are also reviewed, since Oracle notes that successful attacks may significantly impact additional products.
- Prioritize patch validation and post-change verification for production instances that handle sensitive or high-value data.
Evidence notes
This debrief is based only on the supplied NVD CVE record snapshot and its listed references. The record identifies Oracle One-to-One Fulfillment UI, the affected supported versions, the CVSS vector and score, and references Oracle's CPU January 2017 advisory plus SecurityFocus BID 95569. No exploit code or unverified advisory content was used.
Official resources
-
CVE-2017-3435 CVE record
CVE.org
-
CVE-2017-3435 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Publicly disclosed on 2017-01-27 in the CVE/NVD record, with an Oracle January 2017 advisory reference listed by NVD.