PatchSiren cyber security CVE debrief
CVE-2017-3395 Oracle CVE debrief
CVE-2017-3395 is a HIGH-severity Oracle vulnerability in the Advanced Outbound Telephony user interface for Oracle E-Business Suite. Oracle describes it as easily exploitable over HTTP by an unauthenticated attacker, but with required human interaction. Oracle’s advisory says successful attacks can expose sensitive data and allow some unauthorized data changes, and that impacts may extend beyond the affected component.
- Vendor
- Oracle
- Product
- CVE-2017-3395
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and defenders managing internet-facing or user-accessible Oracle Advanced Outbound Telephony deployments should prioritize this issue, especially on affected 12.1.x and 12.2.x releases.
Technical summary
NVD lists this issue for Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which aligns with Oracle’s description of network-based exploitation that does not require authentication but does require user interaction. The reported impact centers on confidentiality and integrity, with potential unauthorized access to critical data and some unauthorized update, insert, or delete capability.
Defensive priority
High. The combination of network exposure, no authentication requirement, and high confidentiality impact makes this a priority for patching and exposure review on affected Oracle E-Business Suite instances.
Recommended defensive actions
- Apply the Oracle January 2017 CPU / vendor fix referenced in the advisory.
- Inventory Oracle Advanced Outbound Telephony deployments and confirm whether any affected 12.1.x or 12.2.x version is in use.
- Reduce exposure of Oracle E-Business Suite interfaces to trusted networks where possible, especially HTTP-accessible paths.
- Review user-facing workflows that could enable the required human interaction and tighten access controls or monitoring around them.
- Validate that compensating controls, logging, and alerting are in place for Oracle application traffic and unexpected UI activity.
Evidence notes
The severity and attack conditions come from the supplied Oracle/NVD record: unauthenticated network access via HTTP, required human interaction, and CVSS 3.0 8.2 with AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. Affected versions are taken from the NVD CPE entries in the source corpus. The Oracle CPU January 2017 advisory is the vendor patch reference included in the supplied references.
Official resources
-
CVE-2017-3395 CVE record
CVE.org
-
CVE-2017-3395 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
CVE published on 2017-01-27. Oracle’s January 2017 CPU reference is the relevant vendor mitigation source in the supplied corpus.