PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3437 Oracle CVE debrief

CVE-2017-3437 is a high-severity Oracle One-to-One Fulfillment vulnerability in Oracle E-Business Suite, published on 2017-01-27. NVD lists affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The issue is reachable over HTTP, requires no privileges, but does require user interaction from a person other than the attacker. Oracle/NVD describe the impact as unauthorized access to critical data or full access to One-to-One Fulfillment accessible data, plus unauthorized update, insert, or delete access to some of that data. NVD assigns CVSS v3.0 8.2 (HIGH).

Vendor
Oracle
Product
CVE-2017-3437
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, patch-management owners, and incident responders responsible for One-to-One Fulfillment deployments.

Technical summary

The NVD record shows a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a network-reachable issue with no privileges required but dependent on user interaction. The listed weakness is NVD-CWE-noinfo, so the corpus does not provide a more specific CWE classification. The vulnerable component is Oracle One-to-One Fulfillment within Oracle E-Business Suite, and the supplied metadata indicates the issue can affect the enumerated supported versions.

Defensive priority

High. Treat as a prompt patch-and-verify issue for any Oracle E-Business Suite environment running an affected One-to-One Fulfillment version, especially if HTTP exposure is present.

Recommended defensive actions

  • Inventory Oracle E-Business Suite deployments and confirm whether One-to-One Fulfillment version 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 is in use.
  • Apply the Oracle January 2017 Critical Patch Update referenced by NVD, or a later Oracle-fixed release, in a controlled maintenance window.
  • Limit exposure of the affected application to trusted networks where possible and review any externally reachable HTTP endpoints.
  • Because successful attacks require user interaction, reinforce user awareness around unexpected prompts or workflow actions tied to the affected application.
  • Review application and web access logs for anomalous requests against One-to-One Fulfillment and investigate suspicious activity.
  • After remediation, rescan and verify that the affected component is no longer reported as vulnerable.

Evidence notes

This debrief is grounded in the supplied NVD record for CVE-2017-3437 and the Oracle Critical Patch Update January 2017 advisory reference included by NVD. The source data provides the affected versions, the CVSS v3.0 vector and score, the HTTP/network exposure, the user-interaction requirement, and the confidentiality/integrity impact statements. The weakness classification in the corpus is NVD-CWE-noinfo.

Official resources

Public debrief derived only from the supplied official vulnerability metadata and vendor advisory reference. No exploit instructions, reproduction steps, or unsupported claims included.