PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3373 Oracle CVE debrief

CVE-2017-3373 is a high-severity vulnerability in Oracle Advanced Outbound Telephony, a component of Oracle E-Business Suite. Oracle and NVD indicate that supported versions 12.1.1 through 12.2.6 were affected. The issue is network-accessible over HTTP, does not require authentication, and needs human interaction from someone other than the attacker. Successful exploitation could expose critical data and allow some data modification.

Vendor
Oracle
Product
CVE-2017-3373
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and operations staff responsible for Advanced Outbound Telephony deployments should prioritize this advisory. Security teams should also care if the component is exposed to untrusted networks or used in business processes where a user could be induced to interact with attacker-controlled content.

Technical summary

NVD classifies the issue with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, yielding a base score of 8.2. The vulnerability affects Oracle Advanced Outbound Telephony UI and is documented by NVD as impacting multiple listed product versions. The supplied NVD data does not provide a more specific CWE than NVD-CWE-noinfo. The risk profile is driven by unauthenticated network reachability, required user interaction, and the potential for confidentiality and integrity impact.

Defensive priority

High. This is an internet-reachable, unauthenticated vulnerability with meaningful confidentiality and integrity impact, even though user interaction is required. It should be treated as a prompt patch-and-exposure-review item for any environment running affected Oracle E-Business Suite versions.

Recommended defensive actions

  • Apply the Oracle January 2017 Critical Patch Update referenced by Oracle for this CVE, or the latest cumulative Oracle security update that remediates it.
  • Confirm whether Oracle Advanced Outbound Telephony is deployed in any 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 environment.
  • Restrict network access to the affected HTTP-exposed component so only trusted administrative or business networks can reach it.
  • Review application logs and related access logs for unusual requests or user-interaction patterns around the exposed component.
  • Validate patch deployment after maintenance windows and verify that affected instances are no longer exposed on unnecessary interfaces.

Evidence notes

Primary evidence comes from the official NVD record and the Oracle vendor advisory referenced in NVD metadata. NVD lists the publication time as 2017-01-27T22:59:06.100Z and the modified time as 2026-05-13T00:24:29.033Z. The record identifies affected Oracle Advanced Outbound Telephony versions and the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. NVD also records the weakness as NVD-CWE-noinfo, so no more specific CWE should be inferred from the supplied corpus.

Official resources

Publicly disclosed in the official vulnerability record on 2017-01-27, with Oracle advisory references included in NVD metadata. Use the CVE publication timestamp as the disclosure date for this debrief.