CVE-2017-3397 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability described in CVE-2017-3397 resides within Oracle Advanced Outbound Telephony component of the Oracle E-Business Suite, specifically within the User Interface subcomponent. This flaw represents a significant security weakness that affects multiple version lines including 12.1.1 through 12.2.6, making it a widespread concern across various Oracle EBS deployments. The vulnerability's classification as easily exploitable indicates that attackers can leverage it without requiring specialized skills or extensive resources, creating a substantial risk for organizations utilizing affected Oracle products.
The technical nature of this vulnerability allows unauthenticated attackers to compromise the Oracle Advanced Outbound Telephony functionality through HTTP network connections. This means that malicious actors can access the system without requiring valid credentials, exploiting a fundamental weakness in the authentication and authorization mechanisms. The vulnerability specifically targets the user interface layer, suggesting that the issue may stem from improper input validation or insufficient access controls within the web-based components that handle telephony operations. According to CWE standards, this vulnerability likely corresponds to CWE-287 which deals with improper authentication issues, while the attack vector through HTTP aligns with ATT&CK technique T1190 for exploitation of remote services.
The operational impact of this vulnerability extends beyond just the targeted telephony component, as successful exploitation can result in unauthorized access to critical data and complete access to all Oracle Advanced Outbound Telephony accessible data. This comprehensive access level indicates that attackers can potentially view sensitive customer information, call logs, telephony configurations, and other confidential data stored within the system. Additionally, the vulnerability enables unauthorized update, insert, or delete operations on some of the accessible data, creating opportunities for data manipulation, corruption, or deletion that can severely disrupt business operations and compromise data integrity. The requirement for human interaction from a person other than the attacker suggests that social engineering or targeted phishing might be necessary to initiate the attack, though the underlying vulnerability remains exploitable through network-based means.
The CVSS v3.0 base score of 8.2 reflects the severity of this vulnerability, with impacts rated as high for both confidentiality and integrity. This scoring indicates that organizations face significant risk from exploitation, as the vulnerability can lead to data breaches and system compromise. The vulnerability's potential to impact additional products beyond Oracle Advanced Outbound Telephony suggests that it may be part of a broader architectural weakness or could leverage other system components to extend its reach. Organizations should implement immediate mitigations including network segmentation to limit access to the affected components, application-level firewalls to restrict HTTP traffic, and thorough access control reviews to minimize the impact of potential exploitation. Regular patching and monitoring of Oracle EBS installations becomes critical to prevent exploitation, while security awareness training should address the human interaction requirement to reduce social engineering risks. The vulnerability highlights the importance of maintaining up-to-date security controls and implementing defense-in-depth strategies to protect against both network-based and user-interaction-based attacks targeting enterprise telephony systems.