PatchSiren cyber security CVE debrief

CVE-2017-3441 Oracle CVE debrief

CVE-2017-3441 is a HIGH-severity Oracle Customer Interaction History vulnerability in Oracle E-Business Suite. Oracle states it is easily exploitable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction. If exploited, the issue can lead to unauthorized access to critical data, full access to Customer Interaction History data, and unauthorized update, insert, or delete access to some of that data. The CVE was published on 2017-01-27.

Vendor: Oracle
Product: CVE-2017-3441
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and incident responders responsible for environments running Customer Interaction History 12.1.1, 12.1.2, or 12.1.3 should prioritize review and remediation. Organizations exposing the affected component to network access via HTTP should be especially attentive.

Technical summary

NVD maps the affected Oracle Customer Interaction History component to CPEs for versions 12.1.1, 12.1.2, and 12.1.3. The published CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with a base score of 8.2. That means the attack is network-reachable, requires no privileges, does require user interaction, and can impact confidentiality and integrity across scope beyond the vulnerable component. NVD does not provide a more specific CWE beyond NVD-CWE-noinfo.

Defensive priority

High. The combination of network reachability, no authentication, and meaningful confidentiality/integrity impact makes this a priority for patch validation and exposure review, especially in production E-Business Suite deployments.

Recommended defensive actions

Confirm whether Oracle E-Business Suite Customer Interaction History 12.1.1, 12.1.2, or 12.1.3 is deployed in your environment.
Review Oracle's January 2017 Critical Patch Update advisory for the vendor-recommended remediation path.
Apply the vendor patch or mitigation referenced by Oracle as soon as feasible.
Restrict network exposure to the affected HTTP-accessible component until remediation is complete.
Monitor for unusual access to Customer Interaction History data and for unexpected update, insert, or delete activity.
Verify whether any dependent products or workflows could be affected by compromise of this component.

Evidence notes

All statements are drawn from the supplied NVD record and Oracle reference links. The CVE was published on 2017-01-27. NVD lists affected CPEs for Oracle Customer Interaction History versions 12.1.1, 12.1.2, and 12.1.3 and records CVSS v3.0 8.2 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. NVD also marks the weakness as NVD-CWE-noinfo, so a more precise CWE is not supported by the source corpus here.

Official resources

CVE-2017-3441 CVE record
CVE.org
CVE-2017-3441 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]

Publicly disclosed in the CVE record on 2017-01-27. No KEV listing was provided in the source data.