PatchSiren cyber security CVE debrief
CVE-2017-3377 Oracle CVE debrief
CVE-2017-3377 is a high-severity Oracle Advanced Outbound Telephony issue in Oracle E-Business Suite. NVD describes it as easily exploitable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction from someone other than the attacker. Oracle’s affected versions listed in NVD are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The recorded impact includes unauthorized access to critical data and unauthorized update, insert, or delete access to some accessible data.
- Vendor
- Oracle
- Product
- CVE-2017-3377
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and operations staff responsible for Advanced Outbound Telephony deployments should care, especially where the component is reachable over HTTP.
Technical summary
NVD records CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which indicates a network-reachable flaw with low attack complexity, no privileges required, and required user interaction. The weakness is mapped generically as NVD-CWE-noinfo. The affected CPEs in the NVD record are Oracle Advanced Outbound Telephony versions 12.1.1 through 12.2.6 as listed in the source corpus. NVD references Oracle’s January 2017 CPU advisory as the vendor patch reference.
Defensive priority
High. The combination of network exposure, no authentication, required user interaction, and high confidentiality impact justifies prompt review and patch planning for affected Oracle E-Business Suite environments.
Recommended defensive actions
- Confirm whether Oracle Advanced Outbound Telephony is installed and whether any listed affected versions are in use.
- Review Oracle’s January 2017 CPU advisory referenced by NVD and apply the vendor fix or cumulative patch set that addresses this CVE.
- Reduce exposure of the affected HTTP-accessible interface where operationally possible, especially from untrusted networks.
- Identify workflows that rely on user interaction and raise awareness so users are less likely to complete attacker-triggered actions.
- Verify that compensating controls, monitoring, and access restrictions are in place for any unpatched affected instance.
- After remediation, validate the environment against the affected version list in the NVD record to confirm coverage.
Evidence notes
This debrief is based only on the supplied NVD-derived source item and the linked official records. Key evidence used: the CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N; the affected Oracle Advanced Outbound Telephony versions listed in the cpeCriteria; the description stating unauthenticated network access via HTTP and the need for human interaction; and the NVD references to Oracle’s January 2017 CPU advisory and a SecurityFocus entry.
Official resources
-
CVE-2017-3377 CVE record
CVE.org
-
CVE-2017-3377 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Publicly disclosed on 2017-01-27T22:59:06.240Z. NVD shows the record as modified on 2026-05-13T00:24:29.033Z.