PatchSiren cyber security CVE debrief
CVE-2017-3379 Oracle CVE debrief
CVE-2017-3379 is a high-severity Oracle Advanced Outbound Telephony issue in Oracle E-Business Suite. According to NVD, it affects supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The vulnerability is described as easily exploitable over HTTP by an unauthenticated attacker, but successful attacks require human interaction from someone other than the attacker. Impact includes unauthorized access to critical data and unauthorized modification of some accessible data.
- Vendor
- Oracle
- Product
- CVE-2017-3379
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and incident responders responsible for Advanced Outbound Telephony deployments on the affected 12.1.x and 12.2.x releases. Internet-facing environments and teams that allow HTTP access to the component should treat this as a priority.
Technical summary
NVD lists CVE-2017-3379 for Oracle Advanced Outbound Telephony, subcomponent User Interface, with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and base score 8.2. The record indicates network-based exploitation over HTTP without authentication, but with required user interaction. The listed effects are confidentiality and integrity compromise, including unauthorized read access to sensitive data and unauthorized update, insert, or delete actions against some accessible data. Oracle CPU January 2017 is referenced as the vendor advisory source.
Defensive priority
High. The combination of network reachability, no authentication, and high confidentiality impact makes this important to remediate promptly, especially where the application is exposed to untrusted users or external networks.
Recommended defensive actions
- Confirm whether any Oracle E-Business Suite deployment uses Advanced Outbound Telephony on the affected versions listed in NVD.
- Apply Oracle's January 2017 CPU or a later supported cumulative update that remediates the issue.
- Limit HTTP exposure to trusted administrative or internal networks where possible.
- Review application access paths that could enable the required user interaction and reduce unnecessary user-facing exposure.
- Monitor logs and access patterns for unusual requests to the Advanced Outbound Telephony UI.
- Reassess data exposure and permissions for any systems that were publicly reachable during the affected period.
Evidence notes
This debrief is based on the NVD record for CVE-2017-3379 and its referenced Oracle CPU January 2017 vendor advisory. The supplied NVD data identifies Oracle Advanced Outbound Telephony in Oracle E-Business Suite, affected versions 12.1.1 through 12.2.6, network/HTTP attackability, required user interaction, and confidentiality/integrity impact. The record also includes the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with a base score of 8.2.
Official resources
-
CVE-2017-3379 CVE record
CVE.org
-
CVE-2017-3379 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
CVE published on 2017-01-27. NVD last modified the record on 2026-05-13. The vendor advisory reference in the supplied corpus is Oracle CPU January 2017.