CVE-2017-3357 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Marketing component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Marketing, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data as well as unauthorized update, insert or delete access to some of Oracle Marketing accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability identified as CVE-2017-3357 resides within the Oracle Marketing component of Oracle E-Business Suite, specifically within the User Interface subcomponent. This critical security flaw affects multiple version lines including 12.1.1 through 12.1.3, and 12.2.3 through 12.2.6, representing a significant attack surface across the Oracle E-Business Suite ecosystem. The vulnerability's classification as easily exploitable indicates that attackers can leverage it with minimal technical sophistication, making it particularly dangerous in production environments where such systems handle sensitive business data.
The technical nature of this vulnerability stems from insufficient authentication mechanisms within the Oracle Marketing interface, allowing unauthenticated attackers to gain network access via HTTP protocols. This weakness creates a direct pathway for malicious actors to compromise the Oracle Marketing component without requiring valid credentials or prior access to the system. The vulnerability's design flaw specifically targets the user interface layer, which serves as the primary entry point for user interactions with the marketing functionality. According to CWE standards, this represents a classic authentication bypass vulnerability where the system fails to properly validate user credentials before granting access to protected resources.
The operational impact of this vulnerability extends far beyond the immediate Oracle Marketing component, as successful exploitation can result in unauthorized access to critical data and complete control over all accessible marketing data. Attackers can achieve unauthorized update, insert, or delete operations against Oracle Marketing accessible data, creating potential for data corruption, information leakage, and complete system compromise. The CVSS v3.0 base score of 8.2 reflects the severity of both confidentiality and integrity impacts, indicating that adversaries can not only read sensitive information but also modify or destroy data within the marketing system. This vulnerability's potential to affect additional products demonstrates how a single flaw in one component can create cascading security issues across interconnected Oracle E-Business Suite modules.
Organizations exposed to this vulnerability face significant risk of data breaches and operational disruption, particularly given that the attack requires only network access and human interaction from a third party rather than direct system compromise. The vulnerability's exploitation can lead to unauthorized access to customer information, marketing campaign data, and other sensitive business information stored within the Oracle Marketing system. From an ATT&CK framework perspective, this vulnerability aligns with techniques involving initial access through network service exploitation and privilege escalation through data manipulation. The ease of exploitation combined with the potential for data compromise makes this vulnerability particularly attractive to threat actors targeting enterprise environments that rely on Oracle E-Business Suite for critical business operations. Mitigation strategies should include immediate patch deployment, network segmentation, and enhanced monitoring of HTTP traffic to detect potential exploitation attempts.