CVE-2017-3336 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability identified as CVE-2017-3336 resides within the Oracle Marketing component of the Oracle E-Business Suite, specifically within the User Interface subcomponent. This security flaw affects multiple versions of the Oracle E-Business Suite including 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6, representing a significant attack surface across the Oracle E-Business Suite ecosystem. The vulnerability's classification as easily exploitable indicates that attackers can leverage this flaw without requiring specialized skills or tools, making it particularly dangerous in production environments where such systems are often exposed to external networks.
The technical nature of this vulnerability allows unauthenticated attackers to compromise Oracle Marketing through HTTP network access, eliminating the need for valid credentials or prior access to the system. This represents a critical weakness in the authentication and authorization mechanisms within the User Interface component, as the flaw permits direct access to sensitive marketing data and system functions without proper verification. The vulnerability's impact extends beyond the immediate Oracle Marketing component, as successful exploitation can significantly affect additional products within the Oracle E-Business Suite environment, creating cascading security implications that can compromise the entire suite of integrated applications.
From an operational perspective, this vulnerability presents a severe risk to organizations utilizing Oracle E-Business Suite, particularly due to the requirement for human interaction from users other than the attacker, suggesting that social engineering or targeted user manipulation may be necessary to achieve successful exploitation. The CVSS v3.0 base score of 8.2 indicates high severity, reflecting the potential for unauthorized access to critical data and complete access to all Oracle Marketing accessible data. Attackers could potentially gain unauthorized update, insert, or delete access to sensitive marketing information, leading to data integrity compromise and potential financial loss through manipulation of customer data, campaign information, or other critical business assets.
The vulnerability aligns with CWE-287, which addresses improper authentication issues, and represents a significant deviation from proper security practices in the Oracle E-Business Suite implementation. Organizations should consider this weakness in relation to ATT&CK framework tactics including T1190 (Exploit Public-Facing Application) and T1071.004 (Application Layer Protocol: DNS) as attackers may leverage this vulnerability to establish persistent access to marketing databases. Effective mitigation strategies should include immediate patching of affected Oracle E-Business Suite versions, network segmentation to limit access to the vulnerable components, implementation of web application firewalls, and enhanced monitoring for suspicious HTTP traffic patterns. Additionally, organizations should conduct comprehensive security assessments to identify other potentially vulnerable components within their Oracle E-Business Suite deployments and establish robust access controls to prevent unauthorized data access and modification across all integrated applications.