PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3389 Oracle CVE debrief

CVE-2017-3389 is a high-severity Oracle Advanced Outbound Telephony issue in Oracle E-Business Suite. According to NVD, the flaw is network-reachable over HTTP, requires no authentication, but does require human interaction. Successful exploitation can expose sensitive data and allow unauthorized changes to data handled by the component. Oracle and NVD list affected versions including 12.1.1 through 12.2.6.

Vendor
Oracle
Product
CVE-2017-3389
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application owners, security teams, and anyone responsible for internet-facing Oracle Advanced Outbound Telephony deployments—especially where the UI is reachable by users or external networks.

Technical summary

NVD classifies the issue as CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a remotely reachable vulnerability that does not require privileges but does require user interaction. The affected component is Oracle Advanced Outbound Telephony (User Interface) in Oracle E-Business Suite. Oracle's advisory references the vulnerable product family, and NVD lists affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The published impact includes unauthorized access to critical data or complete access to accessible data, plus unauthorized update, insert, or delete access to some accessible data.

Defensive priority

High — prioritize remediation for any affected deployment, especially if the interface is exposed to network users and depends on user-driven interaction.

Recommended defensive actions

  • Inventory Oracle E-Business Suite instances and confirm whether Oracle Advanced Outbound Telephony is present on versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
  • Apply Oracle's remediation guidance from the January 2017 critical patch update referenced by NVD and verify the fix level on all affected systems.
  • Reduce exposure of the affected HTTP-accessible interface to the smallest feasible set of trusted users and networks.
  • Review authentication, authorization, and access logs for the affected component for unexpected access or data changes.
  • Validate the integrity of data handled by Oracle Advanced Outbound Telephony and investigate any unauthorized updates, inserts, or deletions.
  • If remediation cannot be completed immediately, add compensating controls such as network restrictions and heightened monitoring around the affected application path.

Evidence notes

Evidence in the supplied corpus shows: NVD CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with base score 8.2; Oracle Advanced Outbound Telephony in Oracle E-Business Suite is the affected product; the CVE description requires human interaction and mentions impact to additional products; NVD lists affected CPE versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6; NVD also records no specific CWE detail (NVD-CWE-noinfo).

Official resources

Publicly disclosed on 2017-01-27, matching the CVE publication date in the supplied record. The NVD entry was later modified on 2026-05-13, which should not be treated as the issue date.