CVE-2017-3390 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, security teams, and application owners running Advanced Outbound Telephony on the affected 12.1.x or 12.2.x versions, especially where the UI is reachable over HTTP.

Technical summary

The NVD record classifies the issue as CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The affected CPEs listed by NVD are Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The vulnerability is in the User Interface subcomponent. Oracle's January 2017 CPU advisory is cited as the vendor reference.

Defensive priority

High

Recommended defensive actions

• Review Oracle's January 2017 Critical Patch Update advisory and apply the vendor remediation for CVE-2017-3390 or a later cumulative fix that includes it.
• Inventory Oracle E-Business Suite deployments to confirm whether Advanced Outbound Telephony is installed and which version is in use.
• Restrict network exposure to the Oracle application and reduce HTTP reachability to only required administrative or business flows.
• Validate that any user-interaction paths tied to the component are controlled and monitored.
• Monitor Oracle and NVD references for any additional remediation notes or affected-version clarifications.

Evidence notes

All substantive claims in this debrief are drawn from the supplied NVD CVE record and its cited Oracle advisory reference. NVD lists the affected versions, CVSS vector, and impact statement; the Oracle CPU January 2017 advisory is the vendor reference cited in the record. The SecurityFocus BID reference is included as a secondary reference only.

Official resources