PatchSiren cyber security CVE debrief

CVE-2017-3391 Oracle CVE debrief

CVE-2017-3391 is a high-severity Oracle Advanced Outbound Telephony vulnerability in Oracle E-Business Suite. According to the CVE record and NVD, an unauthenticated attacker can reach the issue over HTTP, but exploitation requires human interaction from another person. Successful attacks can lead to unauthorized access to critical data and unauthorized update, insert, or delete access to some accessible data. The affected versions listed in NVD are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Vendor: Oracle
Product: CVE-2017-3391
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and incident responders responsible for environments using Oracle Advanced Outbound Telephony, especially deployments matching the affected versions listed by NVD.

Technical summary

NVD assigns CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which means the flaw is network-reachable, requires no privileges, but does require user interaction. The stated impact is strong on confidentiality and integrity, with no direct availability impact recorded. NVD classifies the weakness as NVD-CWE-noinfo. The affected Oracle Advanced Outbound Telephony versions listed are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Defensive priority

High. The issue is unauthenticated, network-accessible, and can expose or modify sensitive data. Prioritize remediation for any exposed Oracle E-Business Suite deployment, particularly where the component is reachable by users or external networks.

Recommended defensive actions

Identify Oracle E-Business Suite deployments using Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
Review Oracle's January 2017 security advisory referenced by NVD and apply the vendor patch or remediation guidance for CVE-2017-3391.
Restrict HTTP exposure for the affected component to trusted networks while remediation is pending.
Validate whether any workflows depend on user interaction that could be abused in this component and monitor those paths for anomalies.
Review logs and access patterns for unexpected requests or changes affecting Oracle Advanced Outbound Telephony data.

Evidence notes

The CVE record was published on 2017-01-27 and later modified on 2026-05-13. NVD lists affected CPEs for Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. NVD also provides the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and cites Oracle's January 2017 CPU advisory as a vendor reference. The supplied corpus does not mark this CVE as a CISA KEV item.

Official resources

CVE-2017-3391 CVE record
CVE.org
CVE-2017-3391 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]

Publicly published in the CVE record on 2017-01-27; the supplied corpus does not list it in CISA KEV.