PatchSiren cyber security CVE debrief

CVE-2017-3408 Oracle CVE debrief

CVE-2017-3408 is a high-severity Oracle Advanced Outbound Telephony vulnerability in Oracle E-Business Suite. NVD describes it as easily exploitable over HTTP by an unauthenticated attacker, but successful exploitation requires human interaction. The issue can expose critical data and allow unauthorized modification of some accessible data, with possible impact beyond the telephony component.

Vendor: Oracle
Product: CVE-2017-3408
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application security teams, and operations staff responsible for Advanced Outbound Telephony deployments in affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Technical summary

NVD rates the issue CVSS v3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). The vulnerable component is Oracle Advanced Outbound Telephony, subcomponent User Interface. The record indicates network-based access via HTTP, no privileges required, and a user interaction requirement. Impact is primarily confidentiality and integrity, with NVD listing generic weakness classification NVD-CWE-noinfo.

Defensive priority

High. The combination of network reachability, no authentication requirement, and high confidentiality impact makes this a strong patch-and-verify item for any environment running the affected EBS releases.

Recommended defensive actions

Confirm whether Oracle Advanced Outbound Telephony is deployed in Oracle E-Business Suite versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, or 12.2.6.
Review Oracle's January 2017 security advisory for the vendor remediation guidance referenced in the NVD record.
Prioritize patching or upgrading affected instances according to Oracle's advisory and your maintenance windows.
Reduce exposure of the affected HTTP-facing application paths where feasible and monitor for unexpected user interaction or unauthorized data access.
Audit logs and access activity for evidence of abnormal access to Oracle Advanced Outbound Telephony data and related application components.

Evidence notes

All claims above are drawn from the supplied NVD record and its cited Oracle advisory reference. The CVE was published on 2017-01-27T22:59:07.210Z; the later 2026-05-13 record modification does not change the original disclosure date. NVD lists the affected Oracle Advanced Outbound Telephony versions explicitly and provides the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N.

Official resources

CVE-2017-3408 CVE record
CVE.org
CVE-2017-3408 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]

Original CVE publication date: 2017-01-27T22:59:07.210Z. NVD record modified on 2026-05-13T00:24:29.033Z; this later modification is not the vulnerability date.