PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3378 Oracle CVE debrief

CVE-2017-3378 is a high-severity Oracle E-Business Suite issue in the Advanced Outbound Telephony user interface. Oracle and NVD describe it as easily exploitable over HTTP by an unauthenticated network attacker, but successful exploitation requires human interaction. If abused, it can expose critical data and allow unauthorized data changes in affected Advanced Outbound Telephony environments.

Vendor
Oracle
Product
CVE-2017-3378
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, security teams, and application owners running Advanced Outbound Telephony on affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 should treat this as relevant. Because the attack is network-reachable and does not require prior authentication, internet-exposed or broadly reachable deployments deserve immediate attention.

Technical summary

NVD lists CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which indicates a network-accessible flaw with low attack complexity, no privileges required, and user interaction required. The vulnerability is in Oracle Advanced Outbound Telephony, subcomponent User Interface, and the published record says it can lead to unauthorized access to critical data, complete access to accessible data, and unauthorized update/insert/delete operations for some data. NVD lists affected CPEs for Advanced Outbound Telephony versions 12.1.1 through 12.2.6.

Defensive priority

High. The combination of unauthenticated network reachability, data confidentiality impact, and the need for only human interaction makes this a strong patch-and-verify candidate for exposed Oracle E-Business Suite instances.

Recommended defensive actions

  • Apply the Oracle CPU January 2017 remediation referenced in the vendor advisory for affected systems.
  • Inventory Oracle E-Business Suite deployments to confirm whether Advanced Outbound Telephony is installed and which version is running.
  • Prioritize systems on versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
  • Restrict network access to the affected interface where feasible, especially for internet-exposed or broadly reachable deployments.
  • Review application logs and user activity around the affected UI for unusual access or unauthorized data changes.
  • Validate that the vendor fix is in place after remediation and that the vulnerable component is no longer exposed to untrusted networks.

Evidence notes

All statements are drawn from the supplied NVD record and Oracle reference links. The source record identifies the vulnerable product as Oracle Advanced Outbound Telephony in Oracle E-Business Suite, gives the affected versions, and includes the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The NVD metadata also marks the weakness as NVD-CWE-noinfo, so no specific CWE is asserted here. The CVE was published on 2017-01-27 and the NVD record was later modified on 2026-05-13; those dates are used only as disclosure/record-timeline context.

Official resources

Publicly disclosed in the Oracle/NVD record on 2017-01-27. The supplied NVD entry was later modified on 2026-05-13, but that is a record update date rather than the vulnerability's original publication date.