CVE-2017-3386 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3386 resides within the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite, specifically within the User Interface subcomponent. This flaw affects multiple versions including 12.1.1 through 12.2.6, representing a significant attack surface across the Oracle EBS ecosystem. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring extensive technical expertise or privileged access, making it particularly dangerous in enterprise environments where EBS systems handle sensitive business data. The attack vector utilizes HTTP network access, meaning that an unauthenticated attacker can potentially compromise the system simply by sending crafted requests over the network.
The technical nature of this vulnerability stems from insufficient authentication and authorization controls within the telephony interface, allowing attackers to bypass normal access restrictions. The CVSS v3.0 base score of 8.2 reflects the severity of potential impacts, particularly the combination of confidentiality and integrity breaches. This vulnerability operates under the Common Weakness Enumeration framework as CWE-287, which addresses authentication failures in software applications. The attack requires human interaction from users other than the attacker, suggesting that social engineering or targeted user manipulation may be necessary to complete the exploitation process. However, once initiated, the vulnerability can provide attackers with extensive access privileges that extend beyond the immediate telephony component.
The operational impact of CVE-2017-3386 extends far beyond the immediate telephony functionality, as successful exploitation can result in unauthorized access to critical data within the Oracle Advanced Outbound Telephony system. This encompasses complete access to all accessible data, which may include customer information, call logs, communication records, and potentially sensitive business data that organizations rely on for operations. The vulnerability also enables unauthorized update, insert, or delete operations against the telephony accessible data, creating opportunities for data manipulation, corruption, or complete data loss. Attackers could potentially alter communication configurations, manipulate call routing, or disrupt business operations through unauthorized modifications to telephony settings. The widespread nature of affected versions means that organizations across multiple Oracle EBS deployments may be vulnerable, creating cascading security risks throughout enterprise networks.
Organizations should implement immediate mitigations including network segmentation to limit access to the affected telephony interfaces, deployment of web application firewalls to monitor and filter HTTP traffic, and implementation of strong access controls for the telephony component. The vulnerability's relationship to ATT&CK framework category T1190 (Exploit Public-Facing Application) highlights the importance of securing externally accessible applications and implementing proper input validation. Regular security assessments should be conducted to identify and remediate similar authentication weaknesses in other Oracle EBS components. Additionally, organizations should consider implementing monitoring solutions that can detect unusual access patterns or unauthorized data modifications in telephony-related systems. The vulnerability demonstrates the critical importance of maintaining current security patches and implementing comprehensive security controls across all enterprise applications, particularly those handling sensitive communication data. Organizations should also establish incident response procedures specifically designed to address telephony system compromises, given the potential for both data breaches and operational disruption.