PatchSiren cyber security CVE debrief
CVE-2017-3400 Oracle CVE debrief
CVE-2017-3400 is a high-severity Oracle Advanced Outbound Telephony issue in Oracle E-Business Suite. Oracle’s description, as reflected in NVD, says the flaw is easily exploitable over HTTP by an unauthenticated network attacker, but successful attacks require human interaction from someone other than the attacker. The published impact includes unauthorized access to critical data, possible complete access to Advanced Outbound Telephony accessible data, and unauthorized modification of some accessible data.
- Vendor
- Oracle
- Product
- CVE-2017-3400
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, application owners, and security teams responsible for Oracle Advanced Outbound Telephony installations on the affected 12.1.x and 12.2.x releases should prioritize review and remediation.
Technical summary
NVD records CVSS v3.0 8.2 with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The vulnerability affects Oracle Advanced Outbound Telephony component versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The attack surface is network-accessible via HTTP, requires no privileges, but does require user interaction. The supplied NVD record also notes possible broader product impact and lists CWE details as NVD-CWE-noinfo.
Defensive priority
High. The combination of unauthenticated network reachability, required user interaction, and high confidentiality impact makes this worth prompt patch validation and exposure review.
Recommended defensive actions
- Review Oracle CPU January 2017 guidance for CVE-2017-3400 and confirm whether any affected Advanced Outbound Telephony versions are deployed.
- Apply Oracle-provided updates or mitigations for the affected E-Business Suite releases listed in the CVE record.
- Restrict HTTP exposure to Oracle E-Business Suite components where possible and limit access to trusted networks or reverse proxies.
- Harden user-awareness controls because successful exploitation requires interaction from a person other than the attacker.
- Inventory adjacent Oracle E-Business Suite components for potential business impact, since Oracle notes attacks may significantly impact additional products.
- Validate remediation by checking current product versions against the affected CPE entries in the NVD record.
Evidence notes
This debrief is based only on the supplied CVE/NVD corpus and linked Oracle/NVD references. The CVE publication timestamp used for timing context is 2017-01-27T22:59:06.943Z. The NVD record was last modified on 2026-05-13T00:24:29.033Z, but that is not treated as the disclosure date. The affected versions, attack characteristics, CVSS vector, and impact statements are taken from the supplied NVD metadata and CVE description.
Official resources
-
CVE-2017-3400 CVE record
CVE.org
-
CVE-2017-3400 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed on 2017-01-27 per the supplied CVE publication timestamp; Oracle CPU January 2017 is referenced by NVD as the vendor advisory. NVD last modified the record on 2026-05-13.