PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3383 Oracle CVE debrief

CVE-2017-3383 is a high-severity Oracle Advanced Outbound Telephony vulnerability in Oracle E-Business Suite. According to the CVE record, an unauthenticated attacker with network access via HTTP can exploit the issue, but successful attacks require human interaction from someone other than the attacker. Oracle’s affected versions listed in the record are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The documented impact includes unauthorized access to critical data and unauthorized update/insert/delete access to some accessible data, with a CVSS v3.0 base score of 8.2.

Vendor
Oracle
Product
CVE-2017-3383
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and operations teams responsible for Advanced Outbound Telephony deployments should prioritize this issue, especially where the component is reachable over HTTP and end-user interaction is possible.

Technical summary

NVD records the vector as CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. That means the attack is network-based, requires no privileges, needs user interaction, and can cross a scope boundary. The affected product is Oracle Advanced Outbound Telephony, subcomponent User Interface, with vulnerable versions explicitly enumerated in the record. The CVE metadata also points to Oracle’s January 2017 CPU advisory as the vendor reference.

Defensive priority

High. The issue is remotely reachable, requires no authentication, and can expose sensitive data or alter accessible records. Systems running the affected Oracle E-Business Suite versions should be treated as urgent patch candidates.

Recommended defensive actions

  • Check whether Oracle Advanced Outbound Telephony is deployed in Oracle E-Business Suite versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
  • Review Oracle’s January 2017 Critical Patch Update advisory referenced by NVD and apply the relevant vendor remediation for affected systems.
  • Reduce exposure of the Oracle E-Business Suite web interface to trusted networks only, since the vulnerability is reachable via HTTP.
  • Monitor for unusual user-driven interactions around the Advanced Outbound Telephony interface, because successful exploitation requires human interaction.
  • Validate that any remediation is applied across all affected instances, including test, staging, and production environments.
  • After remediation, confirm the affected Oracle component and version inventory so unpatched deployments are not missed.

Evidence notes

All substantive claims above are drawn from the supplied CVE description and NVD metadata. The record states: publishedAt 2017-01-27T22:59:06.430Z; modifiedAt 2026-05-13T00:24:29.033Z. The vulnerability is described as unauthenticated, network-accessible via HTTP, and requiring human interaction. NVD lists the affected CPEs for Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6, and includes the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. NVD references Oracle’s CPU January 2017 advisory and a SecurityFocus BID entry.

Official resources

Public CVE record published 2017-01-27. The NVD entry was last modified on 2026-05-13. This debrief uses only the supplied CVE/NVD corpus and linked references.