CVE-2017-3399 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, application security teams, and operations teams responsible for Advanced Outbound Telephony—especially where versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 are in use.

Technical summary

NVD lists the CVSS v3.0 vector as AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating a network-accessible flaw with low attack complexity, no privileges required, and a user-interaction requirement. The affected CPEs are Oracle Advanced Outbound Telephony versions 12.1.1 through 12.2.6 as enumerated in the NVD record. The issue is tied to the User Interface subcomponent of Oracle Advanced Outbound Telephony.

Defensive priority

High

Recommended defensive actions

• Inventory Oracle E-Business Suite deployments to confirm whether Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6 are present.
• Review Oracle's January 2017 security advisory for the vendor remediation associated with this CVE and apply the relevant fix for affected systems.
• Restrict network exposure to the application where possible, especially HTTP access from untrusted networks.
• Monitor for suspicious user-interaction flows and unauthorized data-access or data-modification activity in the affected component.
• Prioritize patch validation and post-remediation verification in production environments handling sensitive Oracle E-Business Suite data.

Evidence notes

This debrief is based on the CVE record and NVD metadata supplied in the source corpus. The NVD vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, with affected CPEs for Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. Oracle's advisory reference is identified as a January 2017 critical patch update/vendor advisory, but the advisory contents were not fetched here.

Official resources