Analyst readout for executives and security teams
Plain-English summary
CVE-2017-3501 affects Oracle Primavera Unifier and can let an unauthenticated attacker reachable over HTTP read or modify some application data. It requires user interaction, which lowers immediacy, but business impact can still matter where Unifier holds project, contract, or operational records.
Executive priority
Treat as a moderate priority data-integrity and confidentiality issue. Prioritize systems containing sensitive project, financial, supplier, or operational data, particularly if externally reachable or running unsupported versions.
Technical view
Affected Primavera Unifier versions are 9.13, 9.14, 10.0, 10.1, 15.1, and 15.2. The CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Sources describe unauthorized read, update, insert, or delete access to subsets of accessible data, with possible impact beyond Unifier.
Likely exposure
Exposure is most likely in organizations still running the listed Primavera Unifier versions, especially if reachable over HTTP from untrusted networks. Current exposure cannot be inferred from the sources without asset inventory and version validation.
Exploitation context
The provided sources do not state active exploitation, and the CVE is not marked KEV. Exploitation is described as low complexity and unauthenticated over HTTP, but it requires interaction by someone other than the attacker.
Researcher notes
Evidence is limited to the CVE description and referenced advisories. The sources do not identify a CWE, root cause, exploit technique, affected fixed versions, or confirmed exploitation. Avoid assuming product impact beyond the affected Unifier versions named by Oracle/CVE.
Mitigation direction
- Inventory Primavera Unifier instances and confirm versions.
- Review Oracle April 2017 CPU guidance for patches or supported upgrade paths.
- Restrict HTTP access to trusted networks until remediation is confirmed.
- Monitor Unifier data read and modification activity for anomalies.
- Retire or isolate unsupported affected versions.
Validation and detection
- Check whether any Unifier instance runs an affected version.
- Confirm whether Oracle CPU remediation has been applied.
- Review network exposure for HTTP access to Unifier.
- Audit recent unusual reads, updates, inserts, or deletes in Unifier.
- Document compensating controls for any unpatched instance.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2017-3501 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.htmlCVE reference · x_refsource_CONFIRM
- 97895CVE reference · vdb-entry, x_refsource_BID
- 1038289CVE reference · vdb-entry, x_refsource_SECTRACK
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
