CVE-2017-3387 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3387 resides within the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite, specifically within the User Interface subcomponent. This flaw represents a significant security weakness that affects multiple version branches including 12.1.1 through 12.2.6, indicating a prolonged period of exposure across the product lifecycle. The vulnerability's classification as easily exploitable means that attackers with network access via HTTP can potentially compromise the targeted system without requiring authentication credentials, presenting a substantial risk to organizations utilizing these Oracle products.
The technical nature of this vulnerability stems from insufficient input validation and access control mechanisms within the telephony interface component. Attackers can leverage this weakness to gain unauthorized access to critical data within the Oracle Advanced Outbound Telephony system, potentially achieving complete access to all accessible data and unauthorized modification capabilities including update, insert, and delete operations. This represents a severe compromise of both confidentiality and integrity aspects of the information security triad, with the CVSS v3.0 base score of 8.2 reflecting the substantial impact potential. The requirement for human interaction from individuals other than the attacker suggests this vulnerability may be exploited through social engineering techniques or by targeting specific user activities within the telephony interface.
The operational impact of CVE-2017-3387 extends beyond the immediate telephony component, as successful exploitation can significantly affect additional Oracle products within the broader E-Business Suite ecosystem. This interconnectedness means that compromise of one component can potentially lead to cascading security issues across multiple integrated systems. Organizations utilizing affected versions face risks including data exfiltration, unauthorized transaction processing, system integrity compromise, and potential disruption of business operations that rely on telephony functionalities. The vulnerability's potential to enable unauthorized access to critical business data makes it particularly dangerous for enterprises handling sensitive customer information, financial records, or proprietary business communications.
Mitigation strategies for this vulnerability should prioritize immediate patching of affected Oracle E-Business Suite versions, with organizations implementing the relevant security updates provided by Oracle. Network segmentation and access controls should be strengthened to limit exposure of the telephony interface to unauthorized network access. Additional protective measures include implementing web application firewalls to monitor and filter HTTP traffic to the affected component, conducting thorough network monitoring for suspicious activities, and establishing robust incident response procedures. Organizations should also consider disabling unnecessary telephony functionalities and implementing strict access controls for privileged accounts. This vulnerability aligns with CWE-284 (Improper Access Control) and may be categorized under ATT&CK technique T1071.004 (Application Layer Protocol: DNS) when exploited through network-based attacks, highlighting the importance of comprehensive network security measures.