CVE-2017-3407 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, application security teams, and incident responders responsible for Oracle Advanced Outbound Telephony deployments, especially systems exposed to HTTP traffic.

Technical summary

NVD classifies the issue with CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N (base score 8.2). That means exploitation is network-based, low-complexity, requires no privileges, but does require user interaction. The affected product scope in the CVE record is Oracle Advanced Outbound Telephony, with impacted versions 12.1.1 through 12.2.6 as listed in the NVD metadata. Reported consequences include unauthorized access to critical data and write access to some accessible data.

Defensive priority

High

Recommended defensive actions

• Inventory Oracle E-Business Suite deployments that include Advanced Outbound Telephony and confirm whether any affected versions (12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6) are present.
• Review Oracle's January 2017 CPU advisory referenced by the CVE record and apply the vendor fix or upgrade path it prescribes.
• Restrict exposure of the affected application paths to trusted networks and minimize HTTP access where feasible.
• Monitor for unexpected user interaction flows, anomalous authentication or session activity, and suspicious data access or modification tied to the affected application.
• Validate remediation in a test environment before production rollout, then re-scan or re-check version state after patching.

Evidence notes

The CVE metadata in NVD supplies the affected versions, CVSS vector, and impact summary. The NVD record references Oracle's January 2017 Critical Patch Update advisory as the vendor patch source. The supplied corpus does not include the full Oracle advisory text, so remediation details are summarized only at a high level and limited to what the CVE/NVD record supports.

Official resources