PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5547 Oracle CVE debrief

CVE-2016-5547 is a network-exploitable Oracle Java vulnerability in the Libraries component affecting specific Java SE, Java SE Embedded, and JRockit releases. Oracle and NVD describe the impact as partial denial of service only, with exposure possible in both client and server deployments, including sandboxed Java Web Start applications, sandboxed Java applets, and API-driven data handling.

Vendor
Oracle
Product
CVE-2016-5547
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Administrators and application owners running Oracle Java SE/JRE/JDK 7u121 or 8u111/8u112, Java SE Embedded 8u111, or JRockit R28.3.12. Pay special attention to environments that allow Java Web Start, applets, or any service/API that passes untrusted data into Java Libraries.

Technical summary

The NVD record identifies the issue as CVSS 3.0 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating a low-complexity network attack with no privileges or user interaction required and availability-only impact. Affected CPEs include Oracle JDK/JRE 1.7 update 121, Oracle JDK/JRE 1.8 update 111 and update 112, and Oracle JRockit R28.3.12. NVD assigns NVD-CWE-noinfo, so the corpus does not specify a more precise weakness class.

Defensive priority

Medium. The issue is easy to reach over the network and requires no authentication, but the documented impact is limited to partial denial of service rather than code execution or data compromise.

Recommended defensive actions

  • Apply the Oracle January 2017 CPU remediation or a vendor-equivalent fix for the affected Java releases.
  • Inventory Java SE, Java SE Embedded, and JRockit deployments to confirm whether any affected update levels are present.
  • Prioritize systems that expose Java applets, Java Web Start, or services that accept untrusted input into Java Libraries.
  • Replace or upgrade unsupported Java runtimes where patching is no longer available.
  • Validate downstream platform advisories and packaged updates from your Linux or appliance vendor before and after remediation.

Evidence notes

Source corpus states: affected versions are Java SE 7u121 and 8u112, Java SE Embedded 8u111, and JRockit R28.3.12; successful attacks can cause partial DoS; the issue applies to client and server deployments and can be reached through sandboxed Java Web Start applications, sandboxed Java applets, or supplied data to APIs. NVD lists CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L and weakness NVD-CWE-noinfo. NVD references Oracle CPU January 2017 and multiple downstream vendor advisories, supporting patch availability.

Official resources

CVE published in NVD on 2017-01-27T22:59:00.333Z and last modified on 2026-05-13T00:24:29.033Z. The NVD reference list includes Oracle's January 2017 CPU and downstream vendor advisories.