PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3397 Oracle CVE debrief

CVE-2017-3397 is a high-severity Oracle Advanced Outbound Telephony vulnerability in Oracle E-Business Suite. Oracle and NVD describe it as easily exploitable over HTTP, requiring no attacker privileges but needing human interaction from another person. The affected versions listed in the record are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. Successful exploitation can expose critical data and allow unauthorized data changes within the affected component.

Vendor
Oracle
Product
CVE-2017-3397
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and organizations that expose Advanced Outbound Telephony functionality to network access should prioritize this CVE, especially where end users may interact with web content or workflows tied to the component.

Technical summary

The vulnerability is in Oracle Advanced Outbound Telephony, a subcomponent of Oracle E-Business Suite User Interface. The NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, which indicates a network-reachable issue with low attack complexity, no privileges required, and required user interaction. The published impact centers on confidentiality and integrity: unauthorized access to critical data, complete access to some accessible data, and unauthorized update, insert, or delete access to some accessible data. NVD lists the weakness as NVD-CWE-noinfo.

Defensive priority

High. The issue is network-accessible, requires no privileges, affects multiple Oracle E-Business Suite versions, and can impact both confidentiality and integrity.

Recommended defensive actions

  • Confirm whether any Oracle E-Business Suite instances run Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
  • Review Oracle CPU Jan 2017 guidance for remediation and patch availability for this CVE.
  • Reduce exposure of the affected web-facing functionality where possible, especially to untrusted networks.
  • Monitor for user-interaction dependent abuse patterns in the relevant application workflows.
  • Validate that compensating controls and segmentation limit access to the affected Oracle application surfaces.

Evidence notes

This debrief is based on the CVE record and NVD entry. The CVE was published on 2017-01-27T22:59:06.850Z. The NVD record was modified on 2026-05-13T00:24:29.033Z. Evidence in the supplied corpus identifies Oracle Advanced Outbound Telephony as the affected product area, lists the impacted versions, provides the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, and links Oracle CPU Jan 2017 as the vendor advisory/reference.

Official resources

CVE-2017-3397 was first published on 2017-01-27. The supplied NVD record shows a later modification on 2026-05-13; that later date reflects record maintenance, not the original issue date.