CVE-2017-3384 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3384 resides within Oracle Advanced Outbound Telephony component of the Oracle E-Business Suite, specifically affecting the User Interface subcomponent. This weakness represents a significant security flaw that impacts multiple version lines including 12.1.1 through 12.2.6, indicating a prolonged period of exposure across the product lifecycle. The vulnerability operates at the network level through HTTP protocols, creating an attack surface that can be exploited by unauthenticated remote adversaries without requiring any prior authentication credentials or privileged access to the system.
The technical nature of this vulnerability stems from insufficient input validation and access control mechanisms within the telephony interface component. Attackers can leverage this flaw to gain unauthorized access to sensitive data within the Oracle Advanced Outbound Telephony subsystem, potentially achieving complete data compromise. The vulnerability's classification as easily exploitable indicates that the attack vector requires minimal technical sophistication, making it particularly dangerous for organizations running affected versions. The attack requires human interaction from users other than the attacker, suggesting a social engineering component where legitimate users might inadvertently facilitate the exploitation process through actions like clicking malicious links or entering credentials on compromised interfaces.
From an operational impact perspective, this vulnerability creates substantial risk for organizations utilizing Oracle E-Business Suite deployments. The successful exploitation can lead to unauthorized access to critical business data, potentially including customer information, financial records, and operational communications. The CVSS v3.0 base score of 8.2 reflects the severity of both confidentiality and integrity impacts, indicating that attackers can not only read sensitive data but also modify or delete information within the affected subsystem. The potential for impact extending beyond the immediate component suggests cascading effects that could compromise additional Oracle products within the same deployment environment, creating broader organizational security implications.
The vulnerability aligns with CWE-284 (Improper Access Control) and relates to ATT&CK technique T1190 (Exploit Public-Facing Application) through its network-based attack surface and public accessibility. Organizations should implement immediate mitigations including applying Oracle's security patches, implementing network segmentation to limit access to the vulnerable component, and monitoring network traffic for suspicious HTTP activity. Additional protective measures should include disabling unnecessary HTTP interfaces, implementing strong access controls, and conducting regular security assessments of the E-Business Suite environment. The vulnerability demonstrates the critical importance of maintaining up-to-date security patches and implementing defense-in-depth strategies to protect enterprise applications from exploitation.