CVE-2017-3405 Oracle CVE debrief

Who should care

Administrators and security teams running affected Oracle E-Business Suite deployments, especially those using Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.

Technical summary

NVD lists the issue in Oracle Advanced Outbound Telephony, subcomponent User Interface, with CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The affected CPEs cover Oracle Advanced Outbound Telephony versions 12.1.1 through 12.2.6 as enumerated in the source record. The weakness is classified by NVD as NVD-CWE-noinfo, so the public record does not provide a more specific CWE.

Defensive priority

High. The combination of network reachability, no privileges required, and confidentiality/integrity impact makes this important to prioritize, even though user interaction is required.

Recommended defensive actions

• Review Oracle's January 2017 CPU advisory for the remediation guidance linked in the NVD record.
• Identify whether any Oracle E-Business Suite environments include Oracle Advanced Outbound Telephony versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
• Apply the vendor-provided patch or mitigation referenced by Oracle/NVD.
• Restrict exposure of the affected application to only necessary network paths while remediation is planned.
• Validate that business processes involving the user interaction required by the vulnerability are monitored and minimized where possible.
• Reconfirm the vulnerability status against the current NVD and Oracle advisory references after patching.

Evidence notes

All facts above are drawn from the supplied NVD record and its listed Oracle/vendor references. The published date used here is 2017-01-27T22:59:07.117Z from the CVE/NVD source. The later modified date of 2026-05-13T00:24:29.033Z reflects record maintenance in NVD and is not the vulnerability introduction date.

Official resources