PatchSiren cyber security CVE debrief
CVE-2017-3398 Oracle CVE debrief
CVE-2017-3398 is a high-severity Oracle vulnerability in the Advanced Outbound Telephony component of Oracle E-Business Suite. Oracle’s advisory and NVD describe it as easily exploitable over HTTP by an unauthenticated network attacker, but successful exploitation requires human interaction from a person other than the attacker. The issue can expose critical data and may allow unauthorized update, insert, or delete access to some affected data.
- Vendor
- Oracle
- Product
- CVE-2017-3398
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application security teams, and operations staff responsible for Advanced Outbound Telephony deployments should prioritize this issue, especially where the component is reachable over HTTP and users may interact with attacker-controlled content or requests.
Technical summary
NVD lists the vulnerability as affecting Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, reflecting network reachability, no privileges required, user interaction required, and a high confidentiality impact with limited integrity impact. Oracle’s description notes that exploitation can lead to unauthorized access to critical data and broader access to Advanced Outbound Telephony-accessible data, with some ability to modify records.
Defensive priority
High. The combination of unauthenticated network access, user interaction, and high confidentiality impact makes this important to patch and validate quickly in any environment exposing the component.
Recommended defensive actions
- Review Oracle CPU January 2017 guidance for the affected Advanced Outbound Telephony versions.
- Patch or upgrade all affected Oracle E-Business Suite instances that include Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
- Restrict network exposure to the component, especially where HTTP access is not required.
- Reduce the likelihood of harmful user interaction by reinforcing user awareness and limiting access paths that can trigger the vulnerable workflow.
- Verify remediation in staging and production, then confirm the affected component is no longer reachable in the vulnerable configuration.
Evidence notes
All material points are drawn from the supplied NVD record and Oracle advisory reference. The CVSS vector, affected versions, attack requirements, and impact statements come from the NVD metadata and the CVE description provided in the corpus. No exploit details are included.
Official resources
-
CVE-2017-3398 CVE record
CVE.org
-
CVE-2017-3398 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed on 2017-01-27 22:59:06.883Z, based on the CVE published date supplied in the corpus. The record was later modified on 2026-05-13 00:24:29.033Z.