PatchSiren cyber security CVE debrief
CVE-2017-3436 Oracle CVE debrief
CVE-2017-3436 is a high-severity Oracle E-Business Suite issue in the One-to-One Fulfillment component (User Interface). Oracle’s advisory and the NVD record describe it as easily exploitable over HTTP by an unauthenticated attacker, but with required human interaction. Successful exploitation may expose critical data and allow unauthorized data modification in affected One-to-One Fulfillment deployments.
- Vendor
- Oracle
- Product
- CVE-2017-3436
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and operations teams running One-to-One Fulfillment versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6. Prioritize systems reachable over HTTP, especially where business users interact with the application.
Technical summary
The NVD record maps CVE-2017-3436 to Oracle One-to-One Fulfillment and lists affected versions 12.1.1 through 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network attackability, no privileges required, required user interaction, and high confidentiality impact with low integrity impact. Oracle’s referenced advisory states that compromise can lead to unauthorized access to critical data or unauthorized update/insert/delete access to some accessible data. NVD does not provide a specific CWE beyond NVD-CWE-noinfo.
Defensive priority
High. This is a remotely reachable Oracle application issue affecting confidentiality and integrity, and it should be prioritized for patching or mitigation on any exposed, supported deployment.
Recommended defensive actions
- Confirm whether any supported Oracle E-Business Suite instance uses the affected One-to-One Fulfillment versions listed in the NVD record.
- Apply the relevant Oracle CPU January 2017 remediation referenced by Oracle’s advisory for affected deployments.
- Reduce exposure of the application over HTTP wherever possible, especially for internet-facing systems.
- Monitor for unauthorized access to sensitive data and unexpected data changes in One-to-One Fulfillment workflows.
- Review user-facing controls and training to reduce the likelihood of required human interaction leading to successful exploitation.
Evidence notes
Source evidence is limited to the NVD CVE record and Oracle’s referenced January 2017 CPU advisory. The supplied record supports: affected versions, network-based attack surface, required user interaction, unauthenticated attacker conditions, and confidentiality/integrity impact. No exploit steps, root-cause details, or verified exploitation campaign information are present in the supplied corpus.
Official resources
-
CVE-2017-3436 CVE record
CVE.org
-
CVE-2017-3436 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Published by NVD on 2017-01-27T22:59:08.070Z. The supplied record was later modified on 2026-05-13T00:24:29.033Z; that later date should not be treated as the original issue date.