PatchSiren cyber security CVE debrief

CVE-2017-3409 Oracle CVE debrief

CVE-2017-3409 is a high-severity Oracle E-Business Suite issue in Advanced Outbound Telephony (User Interface) that can be triggered over HTTP by an unauthenticated network attacker, but it also requires human interaction from a person other than the attacker. Oracle’s published impact summary says successful attacks can expose critical data and allow unauthorized changes to some accessible data.

Vendor: Oracle
Product: CVE-2017-3409
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Oracle E-Business Suite administrators, application owners, and security teams responsible for Advanced Outbound Telephony deployments on affected versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6.

Technical summary

The NVD record shows CVSS v3.0 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). That means the issue is network-reachable, requires no privileges, and depends on user interaction. The affected component is Oracle Advanced Outbound Telephony within Oracle E-Business Suite, specifically the User Interface subcomponent. Oracle’s description states that exploitation can lead to unauthorized access to critical data or complete access to accessible Advanced Outbound Telephony data, plus unauthorized update/insert/delete access to some of that data. The NVD record lists affected versions 12.1.1 through 12.2.6 and classifies the weakness generically as NVD-CWE-noinfo.

Defensive priority

High. The combination of unauthenticated network exposure, required user interaction, and potential confidentiality/integrity impact makes this worth prompt remediation, especially for internet-facing or broadly reachable E-Business Suite deployments.

Recommended defensive actions

Confirm whether Oracle E-Business Suite Advanced Outbound Telephony is in use and whether any affected versions are deployed.
Apply the Oracle CPU January 2017 remediation referenced in the vendor advisory for all affected instances.
Reduce exposure to HTTP-accessible administrative or user-facing interfaces where feasible, especially from untrusted networks.
Review access controls and monitoring around Advanced Outbound Telephony activity for unusual requests or unexpected data changes.
Treat affected environments as higher risk when users may be prompted to interact with content originating from untrusted sources.
Validate that compensating controls are in place until patching is complete.

Evidence notes

All claims are taken from the supplied NVD record and its referenced Oracle advisory. The CVE was published on 2017-01-27 and later modified in NVD on 2026-05-13. NVD lists the CVSS vector as AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N and the vulnerable versions as 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, and 12.2.6. The record also references Oracle’s January 2017 Critical Patch Update advisory and a SecurityFocus BID entry.

Official resources

CVE-2017-3409 CVE record
CVE.org
CVE-2017-3409 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]

CVE published 2017-01-27. NVD modified 2026-05-13. The source corpus does not mark this CVE as a CISA KEV entry.