PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3439 Oracle CVE debrief

CVE-2017-3439 is a high-severity Oracle E-Business Suite issue in the One-to-One Fulfillment user interface component. Oracle’s advisory and the NVD record describe it as easily exploitable over HTTP by an unauthenticated attacker, with successful attacks requiring human interaction. The documented impact includes unauthorized access to critical data and unauthorized update, insert, or delete access to some accessible data. Oracle lists affected versions including 12.1.1 through 12.2.6. This is not marked as a Known Exploited Vulnerability in the provided corpus, but it is still a strong patching priority because it is network-reachable and can expose sensitive business data.

Vendor
Oracle
Product
CVE-2017-3439
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Administrators and security teams responsible for Oracle E-Business Suite, especially instances running One-to-One Fulfillment in the affected 12.1.x and 12.2.x releases. Incident responders and vulnerability management teams should also care because the issue is unauthenticated, network-accessible, and can affect confidentiality and integrity.

Technical summary

The NVD CVSS v3.0 vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which reflects a network attack path, low attack complexity, no privileges required, and a user-interaction requirement. The vulnerability is scoped to Oracle One-to-One Fulfillment and may significantly impact additional products, according to the CVE description. Oracle and NVD both identify affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Defensive priority

High. The issue is unauthenticated and network-reachable, affects business-critical Oracle E-Business Suite functionality, and can lead to sensitive data exposure and data modification. Even with the user-interaction requirement, this should be prioritized alongside other externally reachable Oracle EBS flaws.

Recommended defensive actions

  • Confirm whether any Oracle E-Business Suite deployments run One-to-One Fulfillment in affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
  • Review Oracle’s January 2017 CPU advisory for the vendor-recommended fix path and apply the relevant update or patch bundle.
  • Restrict HTTP access to Oracle E-Business Suite components to trusted networks where possible while remediation is planned.
  • Monitor for unusual user-interaction-driven activity in affected application workflows and review access patterns to sensitive Fulfillment data.
  • Validate post-patch system behavior and confirm the vulnerable component is no longer exposed in the affected environment.

Evidence notes

The corpus identifies the vulnerability in Oracle One-to-One Fulfillment, subcomponent User Interface, and states that supported affected versions are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Oracle’s referenced CPU January 2017 advisory is the vendor mitigation source in the supplied references. No KEV data is present in the provided corpus.

Official resources

Published on 2017-01-27T22:59:08.180Z. The supplied references point to Oracle’s January 2017 Critical Patch Update advisory, which is the vendor mitigation reference in the corpus.