CVE-2017-3402 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, ERP application owners, security operations teams, and anyone running the affected Advanced Outbound Telephony versions should treat this as a priority patching item.

Technical summary

NVD lists CVSS v3.0 8.2 with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The affected Oracle Advanced Outbound Telephony versions in the record are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The described impact includes unauthorized access to critical data or all accessible data, plus limited integrity impact, and the issue is reachable via HTTP without authentication but does require human interaction.

Defensive priority

High

Recommended defensive actions

• Apply the Oracle January 2017 CPU referenced in the vendor advisory for the affected product line.
• Inventory Oracle Advanced Outbound Telephony deployments and confirm whether any affected versions (12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6) are present.
• Prioritize patching exposed instances because the vulnerability is network-reachable and unauthenticated.
• Review Oracle's advisory and the NVD detail page to validate remediation guidance and affected scope.
• Limit external HTTP exposure to the application where operationally feasible until remediation is complete.

Evidence notes

The source corpus states that the vulnerability is in Oracle Advanced Outbound Telephony (User Interface subcomponent) and is easily exploitable by an unauthenticated attacker with network access via HTTP. The NVD record assigns CVSS v3.0 8.2 with AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The record also lists the affected versions and links to Oracle's CPU January 2017 advisory and a SecurityFocus BID entry.

Official resources