PatchSiren cyber security CVE debrief

CVE-2017-3442 Oracle CVE debrief

CVE-2017-3442 is a high-severity vulnerability in Oracle E-Business Suite’s Customer Interaction History component, specifically the User Interface subcomponent. Oracle and NVD identify affected supported versions 12.1.1, 12.1.2, and 12.1.3. The issue is network reachable over HTTP and can be exploited by an unauthenticated attacker, but successful attacks require human interaction from someone other than the attacker. NVD rates the impact as major confidentiality and integrity exposure, including unauthorized access to critical data and unauthorized update, insert, or delete access to some accessible data.

Vendor: Oracle
Product: CVE-2017-3442
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and incident responders responsible for Customer Interaction History deployments on versions 12.1.1, 12.1.2, or 12.1.3 should treat this as relevant. Organizations exposing the affected UI over HTTP should prioritize review and patch validation.

Technical summary

NVD lists CVE-2017-3442 as CVSS v3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) with a primary weakness classification of NVD-CWE-noinfo. The vulnerability affects Oracle Customer Interaction History in Oracle E-Business Suite and is reachable via network HTTP. Exploitation does not require prior authentication, but it does require human interaction. Successful exploitation can expose critical data and permit some unauthorized modification of accessible Customer Interaction History data.

Defensive priority

High. The combination of unauthenticated network reachability, required user interaction, and high confidentiality/integrity impact makes this a priority for patch verification and exposure reduction on affected Oracle E-Business Suite instances.

Recommended defensive actions

Confirm whether Oracle E-Business Suite Customer Interaction History 12.1.1, 12.1.2, or 12.1.3 is deployed in your environment.
Verify installation of the Oracle January 2017 Critical Patch Update referenced by Oracle’s advisory for this issue.
Restrict network exposure to the affected HTTP-accessible interface where possible until patch status is confirmed.
Review user-facing workflows that depend on Customer Interaction History for any unnecessary prompts, links, or content that could facilitate required human interaction.
Audit for unauthorized access or changes to Customer Interaction History data and related application logs.
Reassess compensating controls for applications that may be impacted indirectly, as the NVD description notes additional products may be significantly impacted.

Evidence notes

All claims above are based on the supplied NVD CVE record and its referenced Oracle vendor advisory links. The record states the affected versions, attack vector, requirement for human interaction, and the confidentiality/integrity impact. No exploit code, proof-of-concept details, or unsupported operational claims are included.

Official resources

CVE-2017-3442 CVE record
CVE.org
CVE-2017-3442 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

NVD published CVE-2017-3442 on 2017-01-27 and last modified the record on 2026-05-13. This debrief uses the CVE published date for timing context.