CVE-2017-3400 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3400 resides within Oracle Advanced Outbound Telephony component of the Oracle E-Business Suite, specifically within the User Interface subcomponent. This weakness affects multiple versions including 12.1.1 through 12.2.6, representing a significant attack surface across the Oracle EBS ecosystem. The vulnerability operates at the application layer and leverages HTTP network protocols, making it accessible to remote attackers without requiring authentication credentials. This represents a critical security gap in enterprise telephony infrastructure that could potentially compromise sensitive business communications and data integrity.
The technical flaw manifests as an insufficient input validation mechanism within the user interface component that processes HTTP requests. Attackers can exploit this vulnerability by crafting malicious HTTP requests that bypass normal authentication procedures, allowing unauthorized access to telephony functions and associated data repositories. The vulnerability's classification as easily exploitable indicates that the attack vector requires minimal technical sophistication, though it does demand human interaction from legitimate users who are not the attackers themselves. This human interaction requirement typically involves users clicking on malicious links or visiting compromised web pages that trigger the vulnerability, making it particularly dangerous in social engineering scenarios.
The operational impact of this vulnerability extends beyond the immediate scope of Oracle Advanced Outbound Telephony, potentially affecting interconnected Oracle EBS products and systems. Successful exploitation can lead to unauthorized access to critical business data including customer information, communication logs, and telephony configuration details. The security implications encompass both confidentiality and integrity breaches, allowing attackers to not only read sensitive data but also modify, insert, or delete information within the telephony system. This dual impact creates significant risk for organizations relying on telephony integration for business operations, potentially disrupting communication services and compromising data integrity across enterprise networks.
The CVSS v3.0 base score of 8.2 indicates a high severity vulnerability that requires immediate attention from security administrators. This assessment aligns with CWE-284 (Improper Access Control) and maps to ATT&CK techniques including T1190 (Exploit Public-Facing Application) and T1071.004 (Application Layer Protocol: DNS). Organizations should implement immediate mitigations including network segmentation, firewall rule updates, and application-level access controls to limit exposure. Oracle recommends applying the relevant security patches and updates as soon as possible, while implementing additional monitoring mechanisms to detect suspicious HTTP traffic patterns. The vulnerability's widespread impact across multiple EBS versions underscores the importance of comprehensive patch management programs and regular security assessments to prevent exploitation of similar weaknesses in enterprise applications.