CVE-2017-3239 Oracle CVE debrief

Who should care

Administrators and security teams running Oracle GlassFish Server 3.0.1 or 3.1.2, especially on hosts where local users or service accounts may have login access.

Technical summary

NVD assigns CVE-2017-3239 a CVSS v3.0 score of 3.3 with vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The weakness is classified as CWE-200. The issue is local rather than remote: an attacker needs low privileges and logon access to the infrastructure where Oracle GlassFish Server executes. Successful exploitation can expose a limited subset of server-accessible data, with no integrity or availability impact described in the supplied corpus.

Defensive priority

Low; treat as routine remediation for affected deployments with local user exposure or sensitive data on the GlassFish host.

Recommended defensive actions

• Confirm whether Oracle GlassFish Server 3.0.1 or 3.1.2 is deployed in your environment.
• Review Oracle’s January 2017 Critical Patch Update referenced by NVD for vendor remediation guidance.
• Restrict local logon access on hosts running GlassFish Server to trusted administrators and service accounts.
• Audit host-level access controls and account privileges around systems that run the affected server.
• If patching is delayed, treat the server host as sensitive and minimize who can log in locally.

Evidence notes

All substantive claims in this debrief are drawn from the supplied NVD record and its Oracle advisory reference. NVD lists the affected CPEs as oracle:glassfish_server 3.0.1 and 3.1.2, the CVSS v3.0 vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, and weakness CWE-200. The record also states that a low-privileged attacker with logon access to the infrastructure can compromise Oracle GlassFish Server and obtain unauthorized read access to a subset of accessible data.

Official resources