CVE-2017-3412 Oracle CVE debrief

Who should care

Oracle E-Business Suite administrators, application owners for Advanced Outbound Telephony, security operations teams, and anyone exposing the EBS UI over HTTP.

Technical summary

The vulnerability is in Oracle Advanced Outbound Telephony, a user-interface subcomponent of Oracle E-Business Suite. NVD describes it as easily exploitable by an unauthenticated network attacker using HTTP, but successful attacks depend on human interaction. The published CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N, indicating strong confidentiality impact and some integrity impact.

Defensive priority

High

Recommended defensive actions

• Verify whether any affected Oracle E-Business Suite versions are deployed, especially 12.1.1-12.1.3 and 12.2.3-12.2.6.
• Review and apply Oracle's January 2017 CPU guidance referenced in the Oracle advisory link.
• Reduce exposure of the EBS UI over HTTP to trusted networks while remediation is pending.
• Monitor access and application logs for unexpected interaction with Advanced Outbound Telephony and related UI workflows.
• Assess downstream products and integrations that could inherit impact from this component.

Evidence notes

Based on the CVE record and NVD detail for CVE-2017-3412. The record states affected Oracle Advanced Outbound Telephony versions and the network/HTTP, unauthenticated, user-interaction-required attack conditions. No KEV entry was supplied.

Official resources