CVE-2017-3396 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3396 resides within Oracle Advanced Outbound Telephony component of the Oracle E-Business Suite, specifically within the User Interface subcomponent. This weakness affects multiple versions including 12.1.1 through 12.2.6, representing a significant attack surface across the Oracle EBS ecosystem. The vulnerability operates at the network level and can be exploited through HTTP protocols without requiring authentication, making it particularly dangerous for organizations with exposed web services. This flaw represents a critical security gap in Oracle's telephony infrastructure that directly impacts enterprise communication systems.
The technical nature of this vulnerability stems from insufficient input validation and access control mechanisms within the telephony user interface component. Attackers can leverage this weakness to gain unauthorized access to sensitive telephony data and potentially manipulate communication systems. The vulnerability's classification as easily exploitable indicates that the attack vector requires minimal technical expertise or resources to execute successfully. The fact that human interaction is required from a non-attacker demonstrates that social engineering or targeted user manipulation may be necessary to complete the exploitation process, though the initial access point remains unauthenticated and network-based.
From an operational impact perspective, this vulnerability poses severe risks to organizations utilizing Oracle E-Business Suite telephony services. Successful exploitation can lead to unauthorized access to critical telephony data including call records, contact information, and communication logs that may contain sensitive business or personal information. The potential for complete access to all accessible data combined with unauthorized update, insert, or delete operations creates a comprehensive threat to data integrity and confidentiality. This vulnerability can significantly impact business continuity and regulatory compliance, particularly in industries governed by data protection regulations such as healthcare, finance, or government sectors where telephony communication data is highly sensitive.
The CVSS v3.0 base score of 8.2 reflects the severity of this vulnerability, with impacts rated as high for both confidentiality and integrity. This score indicates that organizations should prioritize immediate remediation efforts to address this weakness. The vulnerability aligns with CWE-284 (Improper Access Control) and potentially CWE-352 (Cross-Site Request Forgery) depending on the specific implementation details. From an ATT&CK framework perspective, this vulnerability maps to techniques involving initial access through network services and privilege escalation through data manipulation. Organizations should implement network segmentation to limit access to Oracle EBS components, deploy web application firewalls to monitor and filter HTTP traffic, and ensure timely patching of affected versions. Additionally, monitoring for suspicious network activity related to telephony services and implementing robust access controls for telephony interfaces will help mitigate the risk associated with this vulnerability.