PatchSiren cyber security CVE debrief
CVE-2017-3401 Oracle CVE debrief
CVE-2017-3401 is a high-severity Oracle Advanced Outbound Telephony issue in Oracle E-Business Suite. Oracle and NVD describe it as easily exploitable over HTTP by an unauthenticated attacker, but successful attacks require human interaction from someone other than the attacker. Impact is primarily confidentiality and integrity loss, with potential unauthorized access to critical data or to all Advanced Outbound Telephony-accessible data.
- Vendor
- Oracle
- Product
- CVE-2017-3401
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle E-Business Suite administrators, security teams responsible for Oracle Advanced Outbound Telephony, and incident responders who monitor externally reachable Oracle application services.
Technical summary
The vulnerable component is Oracle Advanced Outbound Telephony, subcomponent: User Interface. NVD lists affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, reflecting network exposure, no privileges required, required user interaction, and a high confidentiality impact with limited integrity impact. The source corpus does not identify a CWE beyond NVD-CWE-noinfo.
Defensive priority
High. The combination of unauthenticated network exposure and the potential for serious confidentiality and integrity impact makes this a priority exposure review item for any Oracle E-Business Suite deployment using the affected Advanced Outbound Telephony versions.
Recommended defensive actions
- Confirm whether Oracle Advanced Outbound Telephony is deployed and whether any affected versions are in use: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
- Apply the Oracle security guidance referenced in the January 2017 CPU advisory and related vendor documentation.
- Restrict network access to Oracle E-Business Suite services, especially any HTTP-facing interfaces that should not be broadly reachable.
- Review logs and access patterns for unexpected interactions involving Advanced Outbound Telephony and any unusual user-driven actions.
- Validate compensating controls and segmentation around Oracle application tiers that may reduce exposure if patching is delayed.
Evidence notes
All substantive claims are drawn from the supplied NVD record and its referenced Oracle CPU advisory. The NVD metadata states the vulnerability is in Oracle Advanced Outbound Telephony (User Interface), affects the listed versions, is exploitable via HTTP by an unauthenticated attacker, requires human interaction, and has CVSS v3.0 8.2 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The record was published on 2017-01-27 and later modified on 2026-05-13. The source corpus includes an Oracle vendor advisory reference and a SecurityFocus reference; no additional behavioral detail was used.
Official resources
-
CVE-2017-3401 CVE record
CVE.org
-
CVE-2017-3401 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
- Source reference
Publicly disclosed in Oracle's January 2017 security advisory and recorded by NVD on 2017-01-27. The NVD entry in the supplied corpus was modified on 2026-05-13; that modified date is not the vulnerability's original disclosure date.