CVE-2017-3376 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, application owners, and security teams responsible for Advanced Outbound Telephony deployments, especially environments running any of the affected versions listed by Oracle and NVD.

Technical summary

The NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a network-reachable issue with no privileges required but with user interaction needed. The affected Oracle Advanced Outbound Telephony versions listed in the source data are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The source corpus does not provide a specific CWE beyond NVD-CWE-noinfo.

Defensive priority

High. The flaw is unauthenticated, network-accessible, and can expose or alter sensitive application data, even though user interaction is required.

Recommended defensive actions

• Apply the Oracle January 2017 CPU referenced in the vendor advisory for affected systems.
• Verify whether any Oracle E-Business Suite instances include Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
• Restrict exposure of the affected application paths to trusted networks and users while patching is planned.
• Review application access controls and user activity for unexpected data access or modifications after remediation.
• Track Oracle and NVD advisories for any follow-up guidance or version-specific remediation details.

Evidence notes

All facts in this debrief come from the supplied NVD record and its referenced Oracle vendor advisory. The issue was published in the source record on 2017-01-27 and later modified in NVD on 2026-05-13; that later date reflects record maintenance, not a new vulnerability date. The source data does not include a KEV listing.

Official resources