CVE-2017-3395 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3395 resides within Oracle Advanced Outbound Telephony component of the Oracle E-Business Suite, specifically within the User Interface subcomponent. This security flaw affects multiple version lines including 12.1.1 through 12.2.6, representing a significant attack surface across the Oracle E-Business Suite ecosystem. The vulnerability operates at the network level through HTTP protocols, making it accessible to remote attackers without requiring authentication credentials. The CVSS v3.0 base score of 8.2 indicates a high severity threat level with substantial impacts to both confidentiality and integrity of affected systems. This vulnerability represents a critical weakness in Oracle's telephony infrastructure that could potentially compromise entire enterprise communication systems.
The technical exploitation of this vulnerability occurs through unauthenticated network access via HTTP protocols, allowing attackers to compromise the Oracle Advanced Outbound Telephony component without prior authorization. The flaw requires human interaction from individuals other than the attacker, suggesting that successful exploitation may involve social engineering elements or targeted user actions that facilitate the attack. The attack vector specifically targets the User Interface component, which serves as the primary interface for telephony operations within the Oracle E-Business Suite environment. This design flaw creates a pathway for attackers to gain unauthorized access to critical telephony data and potentially manipulate the underlying telephony infrastructure. The vulnerability's impact extends beyond the immediate component, as successful exploitation can affect additional Oracle products within the broader E-Business Suite ecosystem.
The operational impact of CVE-2017-3395 presents severe consequences for organizations relying on Oracle E-Business Suite telephony capabilities. Attackers can achieve unauthorized access to critical telephony data including call logs, contact information, and telephony configuration details. The vulnerability also enables unauthorized modification capabilities, allowing attackers to insert, update, or delete data within the affected telephony systems. This dual impact on both data confidentiality and integrity creates significant risks for business continuity and regulatory compliance. Organizations may face potential data breaches, service disruption, and unauthorized telephony operations that could compromise sensitive business communications and customer information. The vulnerability's ability to affect multiple version lines across the E-Business Suite platform amplifies the potential operational disruption across enterprise environments.
Organizations should implement immediate mitigation strategies to address this vulnerability, including applying the relevant Oracle Critical Patch Updates and implementing network segmentation controls to limit access to the affected telephony interfaces. Network access controls should be configured to restrict HTTP access to the Oracle Advanced Outbound Telephony components, particularly in environments where such access is not essential for business operations. Security monitoring should be enhanced to detect unusual patterns of access to telephony interfaces and potential exploitation attempts. The vulnerability aligns with CWE-284 (Improper Access Control) and represents a significant concern under ATT&CK framework category T1071.004 (Application Layer Protocol: DNS) and T1190 (Exploit Public-Facing Application) tactics. Regular vulnerability assessments and penetration testing should be conducted to identify additional exposure points within the Oracle E-Business Suite environment, while maintaining updated threat intelligence to address evolving attack patterns targeting enterprise telephony systems.