PatchSiren cyber security CVE debrief
CVE-2017-3396 Oracle CVE debrief
CVE-2017-3396 is a high-severity Oracle vulnerability in the Advanced Outbound Telephony user interface component of Oracle E-Business Suite. Oracle’s advisory and the NVD record describe an unauthenticated, network-reachable issue over HTTP that requires human interaction and can expose or alter sensitive data in affected deployments.
- Vendor
- Oracle
- Product
- CVE-2017-3396
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators and security teams, especially those running Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6. Priority is highest where the application is reachable over HTTP or exposed to users with broad access.
Technical summary
The NVD record maps this issue to Oracle Advanced Outbound Telephony and marks the affected versions as 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a network-accessible issue that does not require privileges but does require user interaction and can impact confidentiality and integrity. NVD assigns the weakness as NVD-CWE-noinfo.
Defensive priority
High. The combination of network reachability, no privileges required, user interaction, and high confidentiality impact makes this worth prompt remediation in any affected Oracle E-Business Suite environment.
Recommended defensive actions
- Confirm whether Oracle Advanced Outbound Telephony is deployed and whether any instance matches the affected versions listed in the NVD record.
- Apply Oracle’s January 2017 critical patch update referenced in the vendor advisory for the affected product/version set.
- Reduce exposure by limiting HTTP access to the application to only trusted networks and users where possible.
- Review authentication, access, and audit logs around the affected component for suspicious activity or unexpected data changes.
- Validate that user-facing workflows and account permissions are narrowly scoped, since the issue requires human interaction and can affect data confidentiality and integrity.
Evidence notes
This debrief is based on the supplied NVD modified record for CVE-2017-3396 and its references to Oracle’s January 2017 security advisory and SecurityFocus BID 95531. The CVSS vector, affected CPE versions, and vulnerability characteristics are taken from the NVD data provided in the corpus. The CVE publication timestamp is 2017-01-27T22:59:06.820Z.
Official resources
-
CVE-2017-3396 CVE record
CVE.org
-
CVE-2017-3396 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in the CVE record on 2017-01-27. The supplied data does not mark this CVE as CISA KEV.