CVE-2017-3369 in iSupport
Summary
by MITRE
Vulnerability in the Oracle iSupport component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2 and 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupport. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iSupport, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iSupport accessible data as well as unauthorized update, insert or delete access to some of Oracle iSupport accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability identified as CVE-2017-3369 resides within Oracle iSupport, a component of the Oracle E-Business Suite that provides user interface functionality for support and service operations. This flaw affects specific versions 12.1.1, 12.1.2, and 12.1.3 of the E-Business Suite, representing a significant security risk for organizations utilizing these older releases. The vulnerability operates at the application layer and specifically targets the User Interface subcomponent, making it particularly concerning as it directly impacts how end users interact with the support systems.
The technical implementation of this vulnerability stems from insufficient input validation and access control mechanisms within the iSupport component. An unauthenticated attacker capable of sending HTTP requests to the affected Oracle E-Business Suite can exploit this weakness to gain unauthorized access to the system. The vulnerability requires minimal prerequisites for exploitation, as it does not necessitate authentication credentials, making it particularly dangerous in networked environments where the service is exposed to external traffic. The attack vector operates through standard HTTP protocols, allowing exploitation from any network location that can reach the vulnerable service.
From an operational impact perspective, the vulnerability presents a severe risk to organizations as it enables unauthorized access to critical data within the Oracle iSupport environment. The successful exploitation can result in complete access to all data accessible through the iSupport component, including sensitive business information, customer data, and operational records. Additionally, attackers can perform unauthorized modifications to the data through update, insert, or delete operations, potentially causing significant data integrity issues. The CVSS v3.0 base score of 8.2 indicates a high severity level, reflecting both the confidentiality and integrity impacts. This vulnerability falls under CWE-284, which addresses improper access control issues, and aligns with ATT&CK technique T1078 for valid accounts and T1068 for exploit for privilege escalation.
Organizations should immediately implement mitigations to address this vulnerability, including applying the relevant Oracle patches and updates that resolve the access control issues in the iSupport component. Network segmentation and firewall rules should be enforced to restrict access to the Oracle E-Business Suite services to only authorized network segments. Additionally, implementing intrusion detection systems and monitoring for unusual HTTP traffic patterns can help identify potential exploitation attempts. The remediation process should also include reviewing and strengthening access controls across all Oracle E-Business Suite components, as the vulnerability may impact additional products within the suite. Organizations should also consider implementing network access controls to limit external exposure of the vulnerable service and ensure that only authenticated users with legitimate business needs can access the iSupport functionality. Regular security assessments and vulnerability scanning should be conducted to identify any similar weaknesses in other components of the Oracle E-Business Suite environment.