PatchSiren cyber security CVE debrief

CVE-2017-3404 Oracle CVE debrief

CVE-2017-3404 is an Oracle Advanced Outbound Telephony vulnerability in Oracle E-Business Suite’s user interface component. Oracle and NVD describe it as easily exploitable over HTTP by an unauthenticated network attacker, but successful abuse requires human interaction and can expose or alter sensitive data.

Vendor: Oracle
Product: CVE-2017-3404
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and incident responders responsible for environments using Oracle Advanced Outbound Telephony on affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.

Technical summary

NVD lists CVSS v3.0 8.2 (HIGH) with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The issue is in Oracle Advanced Outbound Telephony, subcomponent User Interface, and affects the versions named in the NVD record. The published description indicates unauthenticated network access via HTTP plus required human interaction, with potential impact to confidentiality and integrity. NVD does not provide a more specific CWE than NVD-CWE-noinfo.

Defensive priority

High. The combination of network reachability, no privileges required, and potential access to critical data makes this worth prioritizing in internet-facing or broadly reachable E-Business Suite deployments, even though user interaction is required.

Recommended defensive actions

Confirm whether Oracle E-Business Suite instances use Advanced Outbound Telephony and whether any listed affected versions are deployed.
Review Oracle’s January 2017 CPU advisory referenced by NVD and apply Oracle-provided remediation for the affected versions.
Reduce exposure of the Advanced Outbound Telephony interface to trusted networks only while remediation is planned.
Monitor for unexpected access to, or changes in, data handled by the Advanced Outbound Telephony component.
Validate that only authorized users can reach the relevant web interface and that any related business workflows are reviewed for misuse.

Evidence notes

The NVD record for CVE-2017-3404 lists affected Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. It also provides the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and references Oracle’s CPU January 2017 advisory as a vendor patch reference. The CVE was published on 2017-01-27.

Official resources

CVE-2017-3404 CVE record
CVE.org
CVE-2017-3404 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Publicly disclosed by Oracle and recorded in NVD on 2017-01-27. The supplied corpus does not indicate KEV listing or ransomware campaign use.