CVE-2017-3370 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle iSupport component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2 and 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iSupport. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iSupport, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iSupport accessible data as well as unauthorized update, insert or delete access to some of Oracle iSupport accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability identified as CVE-2017-3370 represents a critical security flaw within Oracle iSupport component of the Oracle E-Business Suite, specifically within the User Interface subcomponent. This vulnerability affects Oracle E-Business Suite versions 12.1.1, 12.1.2, and 12.1.3, making it a persistent threat across multiple release versions of the software ecosystem. The vulnerability's classification as easily exploitable indicates that attackers can leverage it with minimal technical sophistication, while the requirement for network access via HTTP suggests that the attack surface is accessible through standard web protocols. The vulnerability's impact extends beyond the immediate iSupport component, as successful exploitation can compromise additional products within the Oracle E-Business Suite environment, creating cascading security risks for organizations relying on this enterprise software stack.
The technical nature of this vulnerability stems from insufficient authentication mechanisms within the Oracle iSupport User Interface, allowing unauthenticated attackers to gain unauthorized access to critical system resources. This flaw enables attackers to potentially access all Oracle iSupport accessible data, including sensitive business information, user credentials, and operational data. The vulnerability's CVSS v3.0 base score of 8.2 reflects the severity of its impact, with the score specifically highlighting both confidentiality and integrity implications. The ability to perform unauthorized update, insert, or delete operations on Oracle iSupport accessible data represents a particularly dangerous aspect of this vulnerability, as it allows not just data theft but also potential data corruption and system manipulation. The requirement for human interaction from individuals other than the attacker suggests that social engineering or targeted phishing attacks may be employed to facilitate exploitation, making this vulnerability particularly insidious in real-world scenarios.
The operational impact of CVE-2017-3370 extends far beyond simple data access compromises, as it fundamentally undermines the security posture of organizations utilizing affected Oracle E-Business Suite versions. Successful exploitation can result in unauthorized access to critical business data, potentially including financial records, customer information, and proprietary business intelligence that could lead to significant financial losses, regulatory violations, and competitive disadvantages. The vulnerability's potential to affect additional products within the Oracle E-Business Suite creates a broader attack surface that organizations may not fully appreciate, as compromise of one component can potentially lead to exploitation of interconnected systems. Organizations may face compliance violations under various regulatory frameworks including but not limited to pci dss, hipaa, and gdpr, depending on the nature of data accessed through this vulnerability, making the security implications particularly severe for enterprises operating in regulated industries.
Mitigation strategies for CVE-2017-3370 should prioritize immediate patching of affected Oracle E-Business Suite versions, as Oracle would have released security patches to address this specific vulnerability. Organizations should implement network-level controls including firewall rules to restrict access to Oracle iSupport components, particularly limiting HTTP access to trusted networks and IP addresses. Additional defensive measures should include monitoring for unusual access patterns, implementing robust authentication mechanisms, and conducting regular security assessments of the Oracle E-Business Suite environment. The vulnerability's characteristics align with CWE-287 which addresses improper authentication issues, and may relate to ATT&CK techniques involving credential access and privilege escalation. Organizations should also consider implementing network segmentation strategies to limit the potential impact of exploitation and establish incident response procedures specifically addressing Oracle E-Business Suite vulnerabilities. Regular security awareness training for personnel who interact with these systems can help reduce the risk of social engineering attacks that might be employed to facilitate exploitation of this vulnerability.