CVE-2017-10244 in Application Object Library
Summary
by MITRE
Vulnerability in the Oracle Application Object Library component of Oracle E-Business Suite (subcomponent: Attachments). Supported versions that are affected are 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Object Library. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Application Object Library accessible data. CVSS 3.0 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/02/2021
The vulnerability identified as CVE-2017-10244 resides within the Oracle Application Object Library component of Oracle E-Business Suite, specifically within the Attachments subcomponent. This flaw affects multiple version releases including 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6, representing a significant attack surface across the Oracle EBS ecosystem. The vulnerability classification as easily exploitable indicates that attackers can leverage this weakness without requiring specialized skills or privileged access, making it particularly dangerous for organizations running these legacy systems. The CVSS 3.0 score of 5.3 reflects a medium severity threat with confidentiality impacts, though the lack of integrity or availability concerns does not diminish its potential for data exfiltration.
The technical nature of this vulnerability stems from insufficient access controls within the attachments functionality of Oracle EBS, allowing unauthenticated attackers to access sensitive data through HTTP network connections. This represents a classic authentication bypass flaw that enables unauthorized read access to a subset of Oracle Application Object Library data. The vulnerability's exploitability is enhanced by its network accessibility, meaning attackers do not require physical presence or internal network access to target the system. The CVSS vector analysis reveals that the attack requires no privileges, no user interaction, and operates over a network connection with low complexity, making it particularly attractive to automated attack tools and threat actors seeking to harvest sensitive business data.
From an operational impact perspective, successful exploitation of CVE-2017-10244 could result in unauthorized access to sensitive business information stored within the Oracle Application Object Library, potentially including financial records, customer data, or proprietary business intelligence. The confidentiality impact rating of 5.3 indicates that while the breach is not catastrophic, it represents a significant data exposure risk that could compromise competitive advantages and regulatory compliance. Organizations utilizing affected Oracle EBS versions face potential regulatory violations under data protection laws such as gdpr, ccpa, and other privacy frameworks that mandate protection of sensitive information. The vulnerability's presence in multiple version releases suggests that organizations may have extended exposure periods, with some systems potentially running unsupported configurations that compound the risk profile.
The vulnerability aligns with CWE-284 (Improper Access Control) and represents a specific implementation weakness in Oracle's access control mechanisms for application attachments. From an attacker perspective, this flaw maps to ATT&CK technique T1071.004 (Application Layer Protocol: DNS) and T1046 (Network Service Scanning) as attackers may first identify vulnerable systems before attempting exploitation. Organizations should implement immediate mitigations including network segmentation to restrict access to Oracle EBS components, applying Oracle's security patches as soon as they become available, and implementing additional monitoring for unauthorized access attempts to attachment functionality. The vulnerability also highlights the importance of maintaining up-to-date security configurations and the risks associated with running unsupported software versions that may not receive security updates, particularly in enterprise environments where legacy systems often persist beyond their recommended support lifecycles.