CVE-2017-3390 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3390 represents a critical security flaw within Oracle Advanced Outbound Telephony component of the Oracle E-Business Suite ecosystem. This vulnerability specifically affects the User Interface subcomponent and impacts multiple supported versions including 12.1.1 through 12.2.6, making it a widespread concern across various Oracle EBS deployments. The vulnerability classification as easily exploitable indicates that attackers can leverage this weakness without requiring specialized skills or extensive resources, significantly increasing the risk to affected organizations.
The technical nature of this vulnerability resides in the insufficient authentication and authorization mechanisms within the Oracle Advanced Outbound Telephony interface. Attackers can exploit this weakness through HTTP network access without requiring authentication credentials, making it particularly dangerous as it allows unauthorized access to sensitive telephony data and operations. The vulnerability operates at the application layer, specifically targeting the user interface component that handles outbound telephony communications, which typically contains sensitive customer information, call logs, and telephony configuration data. This flaw falls under the CWE-287 category of Improper Authentication, where the system fails to properly verify the identity of users attempting to access protected resources.
The operational impact of this vulnerability extends beyond the immediate scope of Oracle Advanced Outbound Telephony, as noted in the description. Successful exploitation can lead to unauthorized access to critical data and complete access to all data accessible through the telephony component, potentially exposing sensitive customer information, call records, and business communications. The vulnerability also enables unauthorized update, insert, or delete operations, allowing attackers to modify or corrupt telephony data, which could disrupt business operations and compromise data integrity. The CVSS v3.0 base score of 8.2 reflects the high severity of this vulnerability, particularly given the confidentiality and integrity impacts it can cause. This score indicates that the vulnerability can result in significant damage to an organization's telephony infrastructure and the sensitive data it contains.
Organizations should implement immediate mitigations including network segmentation to limit access to the affected Oracle E-Business Suite components, implementing strong firewall rules to restrict HTTP access, and applying the relevant Oracle security patches as soon as they become available. The ATT&CK framework categorizes this vulnerability under the T1190 technique of Exploit Public-Facing Application, where attackers target accessible web applications to gain unauthorized access. Additional defensive measures should include monitoring for unusual network traffic patterns, implementing intrusion detection systems to identify potential exploitation attempts, and conducting regular vulnerability assessments of the Oracle E-Business Suite environment. The vulnerability also highlights the importance of proper access control implementation and the need for regular security updates to prevent exploitation of known weaknesses in enterprise applications. Organizations should also consider implementing application-level firewalls and web application firewalls to provide additional protection layers against similar vulnerabilities in the future.