PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3403 Oracle CVE debrief

CVE-2017-3403 is a high-severity Oracle vulnerability in the Advanced Outbound Telephony component of Oracle E-Business Suite. Oracle describes it as easily exploitable over HTTP by an unauthenticated network attacker, but successful exploitation requires human interaction from someone other than the attacker. The issue can expose critical data and allow unauthorized data access and some data modification in affected deployments. Oracle’s January 2017 CPU advisory is the vendor mitigation reference listed with the CVE.

Vendor
Oracle
Product
CVE-2017-3403
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle E-Business Suite administrators, application owners, security teams, and anyone running Advanced Outbound Telephony in affected 12.1.1 through 12.2.6 versions should review this CVE. Because the attack is network-reachable and does not require authentication, perimeter exposure and user-facing workflows both matter.

Technical summary

NVD records this issue as CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, with Oracle Advanced Outbound Telephony in Oracle E-Business Suite affected across versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The published description says an unauthenticated attacker with network access via HTTP can compromise the component, but exploitation requires user interaction. NVD also notes potential impact beyond the component itself and lists the Oracle January 2017 CPU advisory as a vendor reference.

Defensive priority

High. The combination of unauthenticated network access, required user interaction, and confidentiality/integrity impact warrants prompt review and remediation in any exposed Oracle E-Business Suite environment.

Recommended defensive actions

  • Confirm whether Oracle Advanced Outbound Telephony is deployed in any Oracle E-Business Suite instance.
  • Check whether any affected versions are in use: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
  • Review Oracle's January 2017 CPU advisory for the vendor remediation guidance referenced by NVD.
  • Restrict exposure of the affected HTTP-accessible interface to only trusted networks where possible.
  • Prioritize patching or vendor-recommended remediation in internet-facing or broadly reachable environments.
  • Monitor for abnormal user-interaction flows or unexpected access patterns around the affected telephony UI component.

Evidence notes

All substantive claims are taken from the supplied NVD record and Oracle reference metadata. The CVE description states unauthenticated network access via HTTP, required human interaction, and confidentiality/integrity impacts. NVD lists the affected Oracle Advanced Outbound Telephony versions and the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The Oracle January 2017 CPU advisory is included in the reference list, and SecurityFocus BID 95531 is also cited as a reference.

Official resources

CVE-2017-3403 was published on 2017-01-27. The supplied NVD source record was last modified on 2026-05-13, but that is source metadata and not the original disclosure date.