PatchSiren cyber security CVE debrief

CVE-2017-3392 Oracle CVE debrief

CVE-2017-3392 is a high-severity vulnerability in Oracle E-Business Suite’s Advanced Outbound Telephony component (User Interface). Oracle/NVD list affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The issue is described as easily exploitable over HTTP by an unauthenticated network attacker, but successful attacks require human interaction from someone other than the attacker. Oracle and NVD note that successful exploitation can expose critical data and permit unauthorized update, insert, or delete access to some accessible telephony data.

Vendor: Oracle
Product: CVE-2017-3392
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Organizations running Oracle E-Business Suite instances that include Advanced Outbound Telephony, especially any deployment reachable over HTTP. Security, application, and ERP operations teams should treat externally reachable or broadly network-accessible EBS environments as in scope.

Technical summary

NVD records this as CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a network-reachable issue with no privileges required, but with user interaction needed for exploitation. The impact is primarily confidentiality and integrity related; the description states that compromise of Advanced Outbound Telephony may also significantly impact additional products. NVD does not provide a more specific CWE beyond NVD-CWE-noinfo.

Defensive priority

High for any exposed Oracle E-Business Suite environment using the affected Advanced Outbound Telephony versions. Prioritize patching and exposure reduction, especially where the UI is reachable from untrusted networks.

Recommended defensive actions

Confirm whether Oracle Advanced Outbound Telephony is deployed on any Oracle E-Business Suite instance and identify affected versions 12.1.1 through 12.2.6.
Apply the Oracle CPU January 2017 remediation referenced by Oracle for this issue as soon as possible, using the vendor advisory link associated with the CVE.
Restrict HTTP access to Oracle E-Business Suite components to trusted administrative or business networks where feasible.
Review whether the Advanced Outbound Telephony UI is exposed more broadly than necessary and reduce attack surface.
Monitor for abnormal unauthenticated HTTP access patterns and unexpected user-interaction-driven workflow activity in affected EBS environments.
Validate that compensating controls and patch levels are documented for any environment that cannot be immediately updated.

Evidence notes

The CVE description and NVD metadata indicate: unauthenticated attacker, network access via HTTP, human interaction required, affected Oracle E-Business Suite Advanced Outbound Telephony versions 12.1.1/12.1.2/12.1.3/12.2.3/12.2.4/12.2.5/12.2.6, and CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N with base score 8.2. References supplied by NVD include Oracle’s January 2017 CPU advisory and a SecurityFocus bulletin entry.

Official resources

CVE-2017-3392 CVE record
CVE.org
CVE-2017-3392 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]

Publicly disclosed on 2017-01-27 in the CVE/NVD record. NVD metadata in the supplied source was last modified on 2026-05-13.