PatchSiren cyber security CVE debrief

CVE-2016-5528 Oracle CVE debrief

CVE-2016-5528 is a critical Oracle GlassFish Server vulnerability in the Security subcomponent that can allow an unauthenticated attacker with network access via multiple protocols to compromise the server. Oracle and NVD describe successful attacks as potentially resulting in takeover of Oracle GlassFish Server, with high confidentiality, integrity, and availability impact. The affected supported versions listed in the record are 2.1.1, 3.0.1, and 3.1.2.

Vendor: Oracle
Product: CVE-2016-5528
CVSS: CRITICAL 9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Administrators and security teams responsible for Oracle GlassFish Server deployments, especially any systems exposing the service to untrusted networks or integrating GlassFish into larger application stacks. Because the record notes possible impact to additional products, downstream owners and platform operators should also review exposure.

Technical summary

NVD classifies the issue as CVSS 3.0 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). The vulnerability is described as unauthenticated, network-accessible, and reachable over multiple protocols. The record identifies Oracle GlassFish Server versions 2.1.1, 3.0.1, and 3.1.2 as affected and indicates the potential outcome is server takeover. The weakness mapping in NVD is NVD-CWE-noinfo, so the precise root cause is not specified in the supplied corpus.

Defensive priority

High priority. The combination of critical severity, unauthenticated remote reachability, and potential full takeover warrants prompt inventory, exposure reduction, and patch verification.

Recommended defensive actions

Identify all Oracle GlassFish Server instances and confirm whether they are version 2.1.1, 3.0.1, or 3.1.2.
Apply Oracle's January 2017 CPU guidance and any associated patches or mitigations referenced in the vendor advisory.
Reduce or remove network exposure to GlassFish where possible, especially from untrusted networks.
Review downstream applications or services that depend on GlassFish for potential blast-radius impact.
Verify remediation by checking installed build/version information against the affected versions listed in NVD.
Track Oracle and NVD updates for this CVE, including any further clarifications in the official record.

Evidence notes

All claims are derived from the supplied NVD record and the referenced Oracle advisory link. The CVE description states the affected supported versions (2.1.1, 3.0.1, 3.1.2), the unauthenticated network access requirement, multiple-protocol reachability, and possible takeover outcome. NVD supplies CVSS v3.0 vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H and a severity score of 9.0. No KEV listing was provided in the corpus. The precise flaw mechanism is not described beyond NVD-CWE-noinfo.

Official resources

CVE-2016-5528 CVE record
CVE.org
CVE-2016-5528 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

CVE published 2017-01-27T22:59:00.193Z and last modified 2026-05-13T00:24:29.033Z, per the supplied timeline and NVD source metadata. No CISA KEV date was provided.