PatchSiren cyber security CVE debrief
CVE-2017-3440 Oracle CVE debrief
CVE-2017-3440 is a high-severity Oracle Customer Interaction History issue in Oracle E-Business Suite. Oracle’s January 2017 security advisory reference and the NVD record describe it as a network-reachable HTTP vulnerability that can be triggered only with human interaction from someone other than the attacker. If exploited, it can expose critical data and allow unauthorized data changes in the affected Customer Interaction History component, with possible broader impact to related products.
- Vendor
- Oracle
- Product
- CVE-2017-3440
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and incident responders responsible for Customer Interaction History deployments—especially environments running versions 12.1.1, 12.1.2, or 12.1.3 and any systems reachable over HTTP.
Technical summary
The NVD record lists Oracle Customer Interaction History (E-Business Suite UI subcomponent) as vulnerable in versions 12.1.1, 12.1.2, and 12.1.3. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which matches the description: an unauthenticated network attacker can reach the issue over HTTP, but exploitation requires user interaction. Successful attacks can lead to unauthorized access to critical data or to update/insert/delete access for some accessible data.
Defensive priority
High. The combination of unauthenticated network access, required user interaction, and high confidentiality/integrity impact makes this a priority patch and exposure-review item for affected Oracle E-Business Suite deployments.
Recommended defensive actions
- Apply Oracle’s January 2017 CPU / vendor remediation for the affected Oracle E-Business Suite Customer Interaction History component.
- Inventory Oracle E-Business Suite instances and confirm whether versions 12.1.1, 12.1.2, or 12.1.3 are deployed.
- Review exposure of the Customer Interaction History UI over HTTP and limit access to only approved users and networks.
- Validate that any systems with this component are covered by routine patch management and change-control processes.
- Monitor for unusual access patterns involving Customer Interaction History data and for unexpected create, update, or delete activity.
Evidence notes
The supplied NVD record states: affected versions are 12.1.1, 12.1.2, and 12.1.3; the CVSS v3.0 vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with a base score of 8.2; and the description says the issue is easily exploitable via HTTP, requires human interaction from a person other than the attacker, and can cause unauthorized access to critical data or unauthorized modification of some accessible data. The record also links Oracle’s January 2017 CPU as the vendor advisory/patch reference.
Official resources
-
CVE-2017-3440 CVE record
CVE.org
-
CVE-2017-3440 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
- Source reference
Publicly disclosed in the CVE/NVD record on 2017-01-27; the supplied NVD entry was later modified on 2026-05-13.