PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3384 Oracle CVE debrief

CVE-2017-3384 is a high-severity Oracle Advanced Outbound Telephony vulnerability in Oracle E-Business Suite that Oracle and NVD describe as easily exploitable over HTTP by an unauthenticated attacker. The issue requires user interaction and can expose or modify sensitive telephony-accessible data. Affected versions listed in the source data are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Vendor
Oracle
Product
CVE-2017-3384
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and operations teams responsible for Advanced Outbound Telephony deployments should prioritize this CVE, especially where the component is exposed to network access and where users may be prompted to interact with content delivered through the UI.

Technical summary

NVD records CVE-2017-3384 with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and a base score of 8.2. The vulnerability is in the Oracle Advanced Outbound Telephony user interface component of Oracle E-Business Suite. The source description states that exploitation is possible via HTTP without authentication, but successful attacks require human interaction. Impact includes unauthorized access to critical data or all accessible telephony data, plus unauthorized update/insert/delete access to some accessible data.

Defensive priority

High. This should be treated as a near-term remediation item for Oracle E-Business Suite environments that use Advanced Outbound Telephony, particularly because the source describes network-based exploitation with no authentication required and high confidentiality impact.

Recommended defensive actions

  • Review Oracle's January 2017 CPU advisory referenced by NVD and confirm whether the affected E-Business Suite versions are in use.
  • Apply Oracle-recommended patches or mitigations for Advanced Outbound Telephony on all affected versions: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
  • Restrict network exposure to the E-Business Suite interfaces serving the component, especially where HTTP access is possible.
  • Monitor for unexpected user interaction flows in the Advanced Outbound Telephony UI and investigate unusual data access or data modification activity.
  • Inventory whether the product is present in any environment that may be reachable from untrusted networks and prioritize those systems first.

Evidence notes

All substantive claims are drawn from the supplied NVD record and its metadata. The record lists Oracle as the vendor, identifies the affected component as Oracle Advanced Outbound Telephony in Oracle E-Business Suite, includes the CVSS vector and score, and references Oracle's CPU January 2017 advisory plus a SecurityFocus BID reference. The supplied timeline places public disclosure at 2017-01-27T22:59:06.460Z and the latest NVD modification at 2026-05-13T00:24:29.033Z. No KEV entry was supplied.

Official resources

Publicly disclosed in the supplied record on 2017-01-27T22:59:06.460Z. The NVD entry was last modified on 2026-05-13T00:24:29.033Z. No CISA KEV addition was supplied.