CVE-2017-3385 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3385 resides within Oracle Advanced Outbound Telephony component of Oracle E-Business Suite, specifically within the User Interface subcomponent. This flaw represents a critical security weakness that affects multiple version branches including 12.1.1 through 12.2.6, making it particularly concerning for organizations maintaining legacy systems. The vulnerability operates at the application layer and presents an easily exploitable condition that allows unauthenticated attackers to compromise the telephony component through standard HTTP network connections.
The technical implementation of this vulnerability stems from insufficient authentication controls within the User Interface component, creating an attack surface that can be accessed without proper credentials. The flaw enables attackers to gain unauthorized access to sensitive telephony data and potentially manipulate the system's operational parameters. According to CVSS v3.0 scoring, this vulnerability carries a base score of 8.2, indicating high severity with impacts to both confidentiality and integrity. The attack vector requires network access via HTTP protocol, making it accessible to remote threat actors without requiring physical presence or specialized equipment.
The operational impact of CVE-2017-3385 extends beyond the immediate telephony component, as successful exploitation can result in unauthorized access to critical data and complete access to all accessible data within the Oracle Advanced Outbound Telephony environment. Attackers can potentially perform unauthorized update, insert, or delete operations on sensitive telephony records, which could disrupt business communications and compromise operational security. The requirement for human interaction from individuals other than the attacker suggests that social engineering or targeted user engagement may be necessary to fully exploit this vulnerability, though the core weakness remains in the authentication mechanism itself.
Organizations affected by this vulnerability should implement immediate mitigations including network segmentation to limit access to the telephony component, deployment of web application firewalls to monitor and filter HTTP traffic, and implementation of strong authentication controls. The vulnerability aligns with CWE-287 which addresses improper authentication issues, and maps to ATT&CK technique T1190 for exploiting vulnerabilities in web applications. Security teams should also consider disabling unnecessary HTTP endpoints and implementing comprehensive monitoring of telephony system access patterns to detect potential exploitation attempts. Regular patching and vulnerability assessment programs should be enhanced to prevent similar issues in other Oracle E-Business Suite components that may share similar authentication weaknesses.