PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3231 Oracle CVE debrief

CVE-2017-3231 is an Oracle Java SE / Java SE Embedded networking flaw that can expose a limited subset of accessible data. Oracle’s description says it is easily exploitable over the network, but it requires user interaction and is primarily relevant to sandboxed Java Web Start applications or applets that load untrusted code. The documented impact is confidentiality-only, with no integrity or availability impact in the NVD vector.

Vendor
Oracle
Product
CVE-2017-3231
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Organizations that still run client-side Java deployments, especially Java Web Start or applet-based workflows, should pay attention. This is less relevant to typical server deployments that only execute trusted administrator-installed code, but endpoint teams, desktop management, and application owners using older Java runtimes should still verify exposure.

Technical summary

The CVE is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and scored CVSS 3.0 4.3/Medium with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. Oracle’s record identifies affected Java SE versions 6u131, 7u121, and 8u112, plus Java SE Embedded 8u111. NVD’s CPE set also lists Java 8u111 alongside 8u112 for JDK/JRE coverage. The key risk is limited unauthorized read access in sandboxed client contexts after user interaction, not code execution or system compromise.

Defensive priority

Medium. The exposure is network-reachable and user-assisted, but the impact is limited to confidentiality and the vulnerable surface is narrower than server-side Java deployments.

Recommended defensive actions

  • Inventory Java SE and Java SE Embedded deployments, especially client endpoints using Java Web Start or applets.
  • Confirm whether any systems are on the affected update lines listed in the source corpus: 6u131, 7u121, 8u111, 8u112, and Java SE Embedded 8u111.
  • Apply Oracle’s January 2017 CPU or later vendor-fixed packages referenced by the advisory and downstream distribution errata.
  • Remove or disable legacy Java client components where they are no longer needed.
  • Review whether untrusted code is allowed to run in Java sandboxed contexts and reduce that exposure where possible.
  • Use vendor advisories and package-manager updates from downstream distributors to verify backported fixes on Linux and enterprise platforms.

Evidence notes

The CVE was published on 2017-01-27. Oracle’s description in the supplied corpus states that the issue affects Java SE and Java SE Embedded networking components, requires human interaction, and impacts sandboxed client deployments that load untrusted code. NVD assigns CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N and CWE-200. The supplied reference set also links Oracle’s January 2017 CPU advisory and downstream vendor errata, supporting remediation through vendor updates.

Official resources

Oracle disclosed the issue in the January 2017 Critical Patch Update cycle; the CVE record was published by NVD on 2017-01-27 and later modified on 2026-05-13. This debrief uses the CVE publication date for timing context, not the later NVD