PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3438 Oracle CVE debrief

CVE-2017-3438 is a high-severity Oracle One-to-One Fulfillment vulnerability in Oracle E-Business Suiteā€™s User Interface component. NVD describes it as easily exploitable by an unauthenticated attacker with network access via HTTP, while also noting that successful exploitation requires human interaction from someone other than the attacker. Impact can include unauthorized access to critical data and unauthorized modification of some accessible data.

Vendor
Oracle
Product
CVE-2017-3438
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application owners, and security teams responsible for systems running One-to-One Fulfillment versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6. Any organization exposing the affected interface over HTTP should treat this as a priority review item.

Technical summary

The NVD record maps CVE-2017-3438 to Oracle One-to-One Fulfillment in Oracle E-Business Suite, subcomponent User Interface. The supplied CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which indicates network attackability, no privileges required, user interaction required, high confidentiality impact, and low integrity impact. NVD lists affected CPEs for versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The weakness entry is NVD-CWE-noinfo, so the precise CWE is not identified in the supplied data.

Defensive priority

High. The combination of unauthenticated network reachability, required user interaction, and possible access to critical or modifiable data makes this worth prompt patch validation and exposure reduction on any affected Oracle E-Business Suite deployment.

Recommended defensive actions

  • Confirm whether any Oracle E-Business Suite systems run One-to-One Fulfillment in the affected versions listed by NVD.
  • Apply the Oracle vendor update referenced in the NVD record: CPU Jan 2017 advisory.
  • Restrict network access to the affected Oracle application paths so only authorized users and systems can reach them.
  • Review whether any business processes rely on user interaction flows that could expose the vulnerable interface and minimize unnecessary exposure.
  • Monitor affected systems for unexpected requests or abnormal activity around the One-to-One Fulfillment UI.
  • Document remediation status for each affected version and verify that patched systems are no longer on the vulnerable CPE versions.

Evidence notes

All factual claims are drawn from the supplied CVE/NVD corpus. The CVE was published on 2017-01-27T22:59:08.133Z and later modified in the NVD record on 2026-05-13T00:24:29.033Z; the vulnerability date used here is the original CVE publication date, not the later modification timestamp. NVD states the issue is in Oracle One-to-One Fulfillment, subcomponent User Interface, and lists affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The supplied CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with base score 8.2. NVD references Oracle CPU Jan 2017 as a vendor advisory/patch reference and SecurityFocus BID 95569 as a secondary reference. No exploit steps or unsupported claims are included.

Official resources

First published in the CVE record on 2017-01-27T22:59:08.133Z. The NVD entry was later modified on 2026-05-13T00:24:29.033Z, but that does not change the original disclosure date.