CVE-2017-3381 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, application owners, and security teams running Advanced Outbound Telephony on affected releases 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 should treat this as relevant.

Technical summary

NVD classifies the flaw as CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with a base score of 8.2. The affected component is Oracle Advanced Outbound Telephony, subcomponent User Interface. NVD lists vulnerability status as Modified and cites Oracle’s January 2017 security advisory as a vendor reference. The weakness is recorded as NVD-CWE-noinfo.

Defensive priority

High. The combination of network exposure, no required privileges, and confidentiality/integrity impact makes this a priority for patch verification and exposure reduction in Oracle E-Business Suite environments.

Recommended defensive actions

• Confirm whether any Oracle E-Business Suite instances are running affected Advanced Outbound Telephony versions listed by NVD.
• Apply the Oracle January 2017 CPU referenced in the vendor advisory for affected systems.
• Reduce HTTP exposure to the application wherever possible by limiting network access to trusted administrative and user networks.
• Review the Advanced Outbound Telephony interface for unexpected access patterns or unauthorized data changes.
• Use the official Oracle and NVD records to validate remediation status and version applicability.

Evidence notes

Evidence from NVD states: Oracle Advanced Outbound Telephony User Interface is affected; supported versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 are vulnerable; the attack is network-based via HTTP and requires user interaction. NVD gives CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and base score 8.2. NVD references Oracle CPU January 2017 and a SecurityFocus BID entry. The CVE was published on 2017-01-27 and later modified by NVD on 2026-05-13; those dates are used only for disclosure/timeline context.

Official resources