PatchSiren cyber security CVE debrief
CVE-2017-3385 Oracle CVE debrief
CVE-2017-3385 is a high-severity Oracle Advanced Outbound Telephony issue in Oracle E-Business Suite, published on 2017-01-27. Oracle identifies it as easily exploitable by an unauthenticated attacker with network access via HTTP, but successful exploitation requires human interaction. If exploited, it can expose critical data and allow unauthorized modification of some Oracle Advanced Outbound Telephony-accessible data.
- Vendor
- Oracle
- Product
- CVE-2017-3385
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams running Oracle E-Business Suite instances that include Advanced Outbound Telephony, especially affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. Because the issue is network-reachable and unauthenticated, internet-facing or broadly reachable deployments should treat it as a priority.
Technical summary
NVD maps the vulnerability to Oracle Advanced Outbound Telephony (User Interface subcomponent) and lists affected versions 12.1.1 through 12.2.6 as enumerated in the record. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating network attackability, no privileges required, required user interaction, high confidentiality impact, and low integrity impact. Oracle’s published advisory is referenced in the NVD record.
Defensive priority
High. The attack surface is network-based and unauthenticated, and the confidentiality impact is high. Prioritize patch verification and exposure reduction for any affected Oracle E-Business Suite deployment.
Recommended defensive actions
- Confirm whether Oracle E-Business Suite includes Advanced Outbound Telephony and whether any listed affected version is in use.
- Apply Oracle’s January 2017 CPU guidance referenced by NVD for this issue, or the vendor-recommended fix in your maintenance stream.
- Restrict network access to Oracle E-Business Suite and related UI endpoints to trusted administrative and business sources only.
- Review authentication, session, and user-awareness controls because exploitation requires human interaction.
- Validate remediation by checking the exact installed product version against the affected versions listed by NVD.
- Monitor logs for unexpected requests to Oracle E-Business Suite and any suspicious changes to accessible data.
Evidence notes
Facts in this debrief are limited to the supplied CVE record and NVD metadata. The record states that the issue affects Oracle Advanced Outbound Telephony in Oracle E-Business Suite, that it is easily exploitable over HTTP by an unauthenticated attacker, and that successful attacks require human interaction. The affected versions and CVSS vector come from the NVD record. Oracle’s CPU January 2017 advisory is referenced in the source metadata, but no additional advisory details are assumed here.
Official resources
-
CVE-2017-3385 CVE record
CVE.org
-
CVE-2017-3385 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the source record on 2017-01-27. This debrief uses the CVE published date from the supplied timeline and does not treat later processing dates as the vulnerability date.