PatchSiren cyber security CVE debrief

CVE-2017-3388 Oracle CVE debrief

CVE-2017-3388 is a high-severity Oracle Advanced Outbound Telephony vulnerability in Oracle E-Business Suite. Oracle and NVD describe it as easily exploitable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction from someone other than the attacker. If exploited, it can expose critical data and permit unauthorized data changes in affected Advanced Outbound Telephony data.

Vendor: Oracle
Product: CVE-2017-3388
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application owners, and security teams responsible for environments using Advanced Outbound Telephony, especially the affected 12.1.x and 12.2.x releases listed in the advisory.

Technical summary

The NVD record maps CVE-2017-3388 to Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS v3.0 vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a network attack path, low complexity, no privileges required, and user interaction required. NVD describes confidentiality impact as high and integrity impact as low, with scope changed.

Defensive priority

High. The vulnerability is network-reachable, requires no authentication, and affects sensitive enterprise application data. Prioritize patching and exposure reduction for any instance running a listed affected version.

Recommended defensive actions

Confirm whether Oracle Advanced Outbound Telephony is present and whether the environment matches one of the affected versions listed by NVD.
Apply the Oracle CPU January 2017 security update referenced in the vendor advisory for CVE-2017-3388, or the latest Oracle patch set that remediates it.
Reduce external exposure of Oracle E-Business Suite services where possible, since the attack path is network-based over HTTP.
Review user awareness and workflow controls because exploitation requires human interaction.
Validate remediation by rechecking version and patch status against Oracle's advisory and the NVD record.

Evidence notes

Source corpus shows Oracle Advanced Outbound Telephony as the affected product, with vulnerable versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N supports the assessment that the issue is remotely reachable, unauthenticated, and dependent on user interaction. Oracle's CPU January 2017 advisory is listed as the vendor patch reference, and the CVE record is publicly published on 2017-01-27.

Official resources

CVE-2017-3388 CVE record
CVE.org
CVE-2017-3388 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]

Publicly published by the CVE/NVD record on 2017-01-27. The supplied NVD record was last modified on 2026-05-13.