CVE-2017-3399 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3399 resides within Oracle Advanced Outbound Telephony component of the Oracle E-Business Suite, specifically within the User Interface subcomponent. This flaw affects multiple version lines including 12.1.1 through 12.2.6, representing a significant attack surface across the Oracle EBS ecosystem. The vulnerability operates through HTTP network access and requires minimal privileges for exploitation, making it particularly dangerous as it allows unauthenticated attackers to compromise the targeted system. This vulnerability falls under the CWE-284 access control weakness category, specifically addressing improper access control mechanisms that permit unauthorized system access.
The technical implementation of this vulnerability stems from inadequate authentication controls within the telephony interface, enabling attackers to bypass normal access restrictions without requiring valid credentials. The attack vector requires network connectivity via HTTP protocol, which means that the vulnerability can be exploited from remote locations without physical access to the system. The flaw's exploitation requires human interaction from individuals other than the attacker, indicating that the attack may involve social engineering elements or require specific user actions to complete the compromise process. This characteristic aligns with ATT&CK technique T1068 for bypassing security measures through social engineering and user interaction.
The operational impact of this vulnerability extends beyond the immediate Advanced Outbound Telephony component, potentially affecting additional Oracle products within the EBS environment. Successful exploitation can result in unauthorized access to critical data repositories and complete access to all data accessible through the telephony interface. Additionally, attackers can perform unauthorized modifications to the system including updates, inserts, and deletions of data within the affected component. The CVSS v3.0 base score of 8.2 indicates high severity with significant confidentiality and integrity impacts, reflecting the potential for data breaches and system compromise. This vulnerability represents a critical risk for organizations relying on Oracle EBS for business operations, particularly those handling sensitive customer information or financial data.
Organizations should implement immediate mitigations including network segmentation to restrict access to the vulnerable telephony interfaces, deployment of web application firewalls to monitor and filter HTTP traffic, and application of Oracle's official security patches. The vulnerability's classification under CWE-284 emphasizes the need for robust access control mechanisms and proper authentication protocols. Security teams should also consider implementing monitoring solutions to detect unusual access patterns or unauthorized data modifications that could indicate exploitation attempts. Regular vulnerability assessments and penetration testing should be conducted to identify similar access control weaknesses within the broader Oracle EBS environment, particularly focusing on components that handle sensitive data and user interactions. The attack surface implications require comprehensive security reviews of all Oracle EBS components to prevent similar vulnerabilities from being exploited across the enterprise infrastructure.