Cyber Resilience

CVE-2017-3506

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 24 April 2017

Published
24 April 2017
Modified
22 April 2026
KEV Added
03 June 2024
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.9441 100.0th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-3506 is a high-severity OS Command Injection (CWE-78) vulnerability in Oracle Weblogic Server. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2017-3506 is a vulnerability in the Web Services subcomponent of Oracle WebLogic Server within Oracle Fusion Middleware. It affects supported versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, and 12.2.1.2. The flaw is rated with a CVSS 3.0 base score of 7.4 and carries the vector (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), reflecting high impact on confidentiality and integrity.

An unauthenticated attacker with network access via HTTP can exploit the issue, although exploitation is rated difficult. Successful attacks allow unauthorized creation, deletion, or modification of critical data accessible to Oracle WebLogic Server, along with unauthorized access to or complete exposure of all such data.

The primary Oracle advisory at http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html, along with related notices on SecurityFocus and SecurityTracker, addresses remediation steps and patch availability for the affected WebLogic versions. No information on observed in-the-wild exploitation is provided in the source references.

EU & UK References

Vulnerability details

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise…

more

Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

CWE(s)
KEV Date Added
03 June 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
weblogic server
10.3.6.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for logical access to Oracle WebLogic web services, blocking the unauthenticated HTTP attacker path described in the CVE.

prevent

Mandates timely application of vendor patches that close the WebLogic Web Services flaw before exploitation can succeed.

prevent

Boundary protection devices or proxies can restrict or inspect inbound HTTP traffic to the vulnerable WebLogic component, limiting network-accessible attack surface.

References