PatchSiren cyber security CVE debrief
CVE-2017-3374 Oracle CVE debrief
CVE-2017-3374 is a high-severity Oracle Advanced Outbound Telephony vulnerability in Oracle E-Business Suite. Oracle and NVD describe it as network-exploitable over HTTP, requiring no attacker authentication but requiring human interaction from another person. Successful attacks can expose sensitive data and enable limited data modification within the affected component.
- Vendor
- Oracle
- Product
- CVE-2017-3374
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and operations staff responsible for Advanced Outbound Telephony deployments on the affected 12.1.x and 12.2.x releases should treat this as a remediation priority.
Technical summary
NVD lists the issue against Oracle Advanced Outbound Telephony in Oracle E-Business Suite for versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The published CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a remotely reachable flaw with no privileges required, but with user interaction needed. The stated impact includes unauthorized access to critical data or other accessible data, plus unauthorized update, insert, or delete access to some accessible data.
Defensive priority
High. The vulnerability is network-reachable, unauthenticated, and impacts a business-critical Oracle application component, so affected environments should verify patch status promptly.
Recommended defensive actions
- Check whether Oracle E-Business Suite includes Advanced Outbound Telephony on any affected 12.1.x or 12.2.x release listed by NVD.
- Review Oracle's January 2017 CPU advisory referenced in the CVE record and apply Oracle's recommended remediation for the affected product line.
- Restrict exposure of the affected application surface to trusted networks and limit HTTP access where possible.
- Harden user-facing workflows that could satisfy the required human interaction condition.
- Validate that compensating controls, monitoring, and logging are enabled around the affected Oracle component.
- Confirm remediation by comparing the deployed version and patch level against Oracle's advisory guidance and the NVD record.
Evidence notes
This debrief is based on the supplied NVD CVE record and its linked Oracle vendor advisory reference. The CVE was published on 2017-01-27T22:59:06.133Z and NVD modified the record on 2026-05-13T00:24:29.033Z. The supplied enrichment shows no Known Exploited Vulnerabilities designation and no ransomware campaign flag. Assertions are limited to the description, CVSS vector, affected CPEs, and references present in the source corpus.
Official resources
-
CVE-2017-3374 CVE record
CVE.org
-
CVE-2017-3374 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed on 2017-01-27 per the supplied CVE record; later modified in NVD on 2026-05-13. No KEV listing is provided in the supplied enrichment.