PatchSiren cyber security CVE debrief

CVE-2017-3382 Oracle CVE debrief

CVE-2017-3382 is a High-severity Oracle Advanced Outbound Telephony vulnerability in Oracle E-Business Suite’s User Interface component. Oracle and NVD describe it as remotely reachable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction. The documented impact includes unauthorized access to critical data and unauthorized modification of some accessible data, with potential spillover impact to additional products.

Vendor: Oracle
Product: CVE-2017-3382
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and operations teams responsible for Advanced Outbound Telephony deployments on affected 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6 environments.

Technical summary

The NVD record maps the issue to Oracle Advanced Outbound Telephony and lists the affected CPEs for versions 12.1.1 through 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a network exploitable issue with no privileges required, but with required user interaction and a scope change. Source descriptions state that successful attacks can lead to unauthorized access to critical data and unauthorized update, insert, or delete access to some accessible data.

Defensive priority

High. Although user interaction is required, the combination of unauthenticated network reachability, confidentiality impact, and integrity impact makes this a priority issue for exposed Oracle E-Business Suite instances.

Recommended defensive actions

Review Oracle CPU January 2017 guidance and confirm whether Advanced Outbound Telephony is installed in any E-Business Suite environment.
Identify and inventory affected versions: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
Apply the Oracle vendor remediation referenced by the CPU January 2017 advisory where applicable.
Restrict external HTTP access to Oracle E-Business Suite components and reduce exposure where business requirements allow.
Monitor for unusual user-facing activity in Advanced Outbound Telephony workflows, since exploitation requires human interaction.
Validate that compensating controls, patch baselines, and change records cover this component across all E-Business Suite deployments.

Evidence notes

Source data from NVD and Oracle references shows CVE publication on 2017-01-27. The description states the issue affects Oracle Advanced Outbound Telephony in Oracle E-Business Suite and lists the impacted supported versions. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N supports the network-reachable, unauthenticated-but-user-interactive characterization.

Official resources

CVE-2017-3382 CVE record
CVE.org
CVE-2017-3382 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly disclosed and recorded on 2017-01-27, with Oracle CPU January 2017 cited as the vendor advisory reference in NVD.