CVE-2017-3380 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, application owners, and security teams responsible for Advanced Outbound Telephony UI deployments in the affected versions.

Technical summary

The NVD entry describes an Oracle Advanced Outbound Telephony subcomponent issue exposed via HTTP to unauthenticated attackers. Exploitation requires a human interaction step, but successful attacks can lead to unauthorized access to sensitive data and unauthorized modification of some accessible data. The affected CPEs listed by NVD cover Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, and 12.2.3 through 12.2.6.

Defensive priority

High

Recommended defensive actions

• Confirm whether any Oracle E-Business Suite instances use Advanced Outbound Telephony in the affected versions listed by NVD.
• Review and apply Oracle's January 2017 Critical Patch Update guidance referenced by NVD for CVE-2017-3380.
• Restrict network exposure to the affected HTTP-accessible user interface to trusted users and segments only.
• Monitor logs for unexpected access patterns or unusual UI activity related to Advanced Outbound Telephony.
• Reduce reliance on exposed workflows where human interaction could enable exploitation, and provide user awareness where appropriate.

Evidence notes

Source grounding comes from the NVD record for CVE-2017-3380, which lists the affected Oracle Advanced Outbound Telephony versions, the CVSS v3.0 vector, and the HTTP/network + unauthenticated + user-interaction characteristics. Oracle's January 2017 CPU advisory is cited in the NVD references as the vendor patch advisory.

Official resources