CVE-2017-3379 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3379 resides within the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite, specifically within the User Interface subcomponent. This flaw affects multiple version releases including 12.1.1 through 12.2.6, representing a significant attack surface across the Oracle EBS ecosystem. The vulnerability manifests as an easily exploitable weakness that permits unauthenticated attackers to compromise the targeted telephony functionality through standard HTTP network connections, making it particularly dangerous for organizations with exposed web interfaces.
The technical nature of this vulnerability stems from insufficient authentication mechanisms within the Advanced Outbound Telephony User Interface component. Attackers can leverage this weakness to gain unauthorized access to critical data and achieve complete access to all data accessible through the telephony system. The flaw operates with a CVSS v3.0 base score of 8.2, indicating high severity with significant impacts to both confidentiality and integrity. The vulnerability requires human interaction from individuals other than the attacker, suggesting it may involve social engineering elements or targeted user actions that facilitate exploitation. This characteristic places additional emphasis on user awareness and training as a critical defensive measure.
The operational impact of CVE-2017-3379 extends beyond the immediate telephony component, potentially affecting additional Oracle products within the EBS environment. Successful exploitation enables attackers to perform unauthorized update, insert, or delete operations on sensitive telephony data, creating opportunities for data manipulation and compromise. Organizations may face significant business disruption as this vulnerability could allow attackers to alter telephony configurations, manipulate call routing, or access confidential customer communication data. The ability to achieve complete access to all accessible data within the telephony system represents a severe threat to organizational security and compliance requirements.
Security professionals should consider this vulnerability in relation to CWE-287, which addresses improper authentication issues, and align it with ATT&CK framework techniques such as T1190 for exploit public-facing application and T1078 for valid accounts. Mitigation strategies should include immediate patching of affected Oracle EBS versions, implementation of network segmentation to restrict access to telephony interfaces, and deployment of web application firewalls to monitor and filter HTTP traffic. Additionally, organizations should conduct thorough vulnerability assessments to identify other potentially exposed components within their Oracle EBS installations and establish robust monitoring procedures to detect unauthorized access attempts. Regular security awareness training for users interacting with telephony systems can help prevent social engineering exploitation attempts that may leverage this vulnerability.