CVE-2017-3266

moderate-risk

Published 2017-01-27

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). Supported versions that are affected are 8.5.2 and 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In Technology. Successful attacks of this vulnerability can result in takeover of Oracle Outside In Technology. Note: Outside In Technology is a suite of software development kits (SDKs). The protocol and CVSS score depend on the software that uses the Outside In Technology code. The CVSS score assumes that the software passes data received over a network directly to Outside In Technology code, but if data is not received over a network the CVSS score may be lower. CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).

Do I need to act?

2.9% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (2)

Outside In Technology

Affected Vendors

Oracle

References (6)

Patch http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Third Party Advisory http://www.securityfocus.com/bid/95507

http://www.securitytracker.com/id/1037631

Patch http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Third Party Advisory http://www.securityfocus.com/bid/95507

http://www.securitytracker.com/id/1037631

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 6/34 · Minimal

Exposure 7/34 · Low