CVE-2017-3351 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability described in CVE-2017-3351 represents a critical security flaw within Oracle E-Business Suite's Marketing component, specifically within the User Interface subcomponent. This vulnerability affects multiple versions of the Oracle E-Business Suite including 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6, indicating a widespread issue that has persisted across several release cycles. The vulnerability's classification as easily exploitable suggests that attackers can leverage it without requiring specialized skills or extensive resources, making it particularly dangerous in production environments where such systems are typically exposed to external networks.
The technical nature of this vulnerability allows unauthenticated attackers to compromise Oracle Marketing through HTTP network access, which represents a significant breach in the system's security perimeter. The attack vector specifically targets the User Interface component, which typically serves as the primary point of interaction for users and therefore represents a critical attack surface. The fact that successful exploitation requires human interaction from individuals other than the attacker indicates that this vulnerability likely involves social engineering elements or requires user-specific actions to complete the attack chain, though the initial compromise remains network-based and unauthenticated.
From an operational impact perspective, the vulnerability's potential consequences are severe and multifaceted. Attackers who successfully exploit this vulnerability can gain unauthorized access to critical data within the Oracle Marketing system, potentially accessing all accessible data through the compromised interface. Additionally, the attack can result in unauthorized modification capabilities including update, insert, and delete operations on sensitive marketing data, fundamentally compromising both data confidentiality and integrity. The CVSS v3.0 base score of 8.2 reflects the high severity of this vulnerability, with impacts specifically rated as high for both confidentiality and integrity, indicating that the attack could lead to complete data compromise and system manipulation.
The vulnerability's potential to impact additional products beyond the targeted Oracle Marketing component suggests that this issue may represent a broader architectural weakness within the E-Business Suite ecosystem. This characteristic aligns with common attack patterns where vulnerabilities in one component can serve as entry points for compromising interconnected systems. The attack methodology involving HTTP network access and the requirement for human interaction places this vulnerability within the ATT&CK framework's reconnaissance and initial access phases, potentially enabling lateral movement once the initial compromise is achieved. Organizations should consider this vulnerability as part of a broader threat landscape where attackers may leverage such entry points to escalate privileges and access additional system components.
Mitigation strategies for CVE-2017-3351 should prioritize immediate patching of affected Oracle E-Business Suite versions to address the underlying vulnerability in the User Interface component. Network segmentation and firewall rules should be implemented to restrict HTTP access to the affected components, particularly when such access is not required for legitimate business operations. Additionally, organizations should implement monitoring and logging controls to detect unauthorized access attempts to the Marketing component and establish incident response procedures to address potential exploitation. The vulnerability's characteristics make it particularly important for organizations to review their access control policies and ensure that all system interfaces are properly secured against unauthenticated access attempts.