CVE-2017-3406 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, application security teams, and operations teams responsible for Oracle Advanced Outbound Telephony deployments, especially where the user interface is exposed to network-accessible users or external traffic.

Technical summary

NVD lists CVSS v3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N for CVE-2017-3406. The issue is in the User Interface subcomponent of Oracle Advanced Outbound Telephony. Impact is primarily confidentiality, with some integrity impact, and the attack path is unauthenticated but depends on a separate person interacting with the vulnerable interface.

Defensive priority

High

Recommended defensive actions

• Confirm whether Oracle Advanced Outbound Telephony is deployed in any Oracle E-Business Suite environment.
• Check whether affected supported versions listed by NVD are in use: 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.
• Apply Oracle’s vendor remediation referenced in the January 2017 CPU advisory where applicable.
• Restrict exposure of the component to trusted users and networks, especially any HTTP-accessible paths.
• Review access controls and logging for suspicious interaction with the Advanced Outbound Telephony user interface.
• Treat the issue as priority if the component is internet-facing or used by broad internal user populations.

Evidence notes

This debrief uses the CVE record published on 2017-01-27 and the NVD record modified on 2026-05-13. The description, affected versions, CVSS vector, and vendor reference are taken from the supplied source corpus only. No exploit steps or unsupported assumptions are included.

Official resources