PatchSiren cyber security CVE debrief
CVE-2017-3387 Oracle CVE debrief
CVE-2017-3387 is a high-severity Oracle Advanced Outbound Telephony issue in Oracle E-Business Suite. Oracle and NVD describe it as an easily exploitable network vulnerability that can be reached over HTTP and requires human interaction, with potential impact to confidentiality and integrity. Affected versions listed in the record are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
- Vendor
- Oracle
- Product
- CVE-2017-3387
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and operations teams responsible for Advanced Outbound Telephony deployments—especially where the UI or related HTTP access is reachable from untrusted networks.
Technical summary
The NVD record maps the issue to Oracle Advanced Outbound Telephony (subcomponent: User Interface) and lists CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with a base score of 8.2. The advisory states that an unauthenticated attacker with network access via HTTP can compromise the component, but successful attacks require human interaction. Impacts include unauthorized access to critical data and unauthorized update, insert, or delete access to some accessible data.
Defensive priority
High. Prioritize quickly if the affected component is exposed to external or broad internal HTTP access, or if the deployment handles sensitive business data.
Recommended defensive actions
- Confirm whether Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 are in use.
- Apply the Oracle January 2017 critical patch update referenced in the vendor advisory, if not already deployed.
- Restrict HTTP access to the affected application paths to trusted networks and users only.
- Review whether the Advanced Outbound Telephony UI is exposed where untrusted users can reach it.
- Monitor for unauthorized data access or unexpected data changes in the affected application area.
- Treat internet-facing deployments as higher priority for validation and remediation.
Evidence notes
This debrief is based only on the supplied NVD record and the linked Oracle advisory/reference. The NVD metadata identifies the affected versions, the network/HTTP access requirement, the need for human interaction, and the CVSS 3.0 vector and score. The Oracle advisory link is the vendor reference cited by NVD; the SecurityFocus BID is a secondary reference. The CVE was published on 2017-01-27; the later NVD modified timestamp does not change the vulnerability's original publication date.
Official resources
-
CVE-2017-3387 CVE record
CVE.org
-
CVE-2017-3387 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in Oracle/NVD records on 2017-01-27. The supplied record shows a later NVD modification date of 2026-05-13, but the CVE publication date remains 2017-01-27.