PatchSiren cyber security CVE debrief

CVE-2017-3247 Oracle CVE debrief

CVE-2017-3247 is a Medium-severity Oracle GlassFish Server issue affecting supported versions 2.1.1, 3.0.1, and 3.1.2. According to the NVD record, an unauthenticated attacker with network access via SMTP can exploit the flaw, but successful attacks require human interaction from someone other than the attacker. The confirmed impact is limited to integrity: unauthorized update, insert, or delete access to some accessible data.

Vendor: Oracle
Product: CVE-2017-3247
CVSS: MEDIUM 4.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Administrators and operators running affected Oracle GlassFish Server versions should pay attention, especially environments that expose SMTP-connected workflows or depend on user interaction to process messages.

Technical summary

NVD lists CVSS v3.0 as AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (4.3). The affected CPEs are Oracle GlassFish Server 2.1.1, 3.0.1, and 3.1.2. The public description says exploitation is possible over the network via SMTP, does not require privileges, and depends on human interaction. The documented impact is integrity-only modification of some accessible data; confidentiality and availability impacts are not indicated in the supplied record.

Defensive priority

Medium. The attack surface is network-reachable and unauthenticated, but the impact is limited and user interaction is required. Prioritize remediation where the affected GlassFish versions are still deployed and exposed to SMTP-driven workflows.

Recommended defensive actions

Confirm whether Oracle GlassFish Server versions 2.1.1, 3.0.1, or 3.1.2 are in use anywhere in the environment.
Review the Oracle January 2017 Critical Patch Update advisory referenced by NVD for vendor guidance and any available fixes.
Reduce exposure of SMTP-facing paths that trigger human interaction where feasible, especially around systems that process untrusted mail.
Apply vendor-recommended patches or upgrades as documented by Oracle for the affected product versions.
If immediate patching is not possible, add compensating controls such as segmentation, tighter mail input handling, and monitoring for unexpected data changes in GlassFish-backed applications.

Evidence notes

This debrief is based on the supplied NVD record for CVE-2017-3247 and its referenced Oracle advisory and SecurityFocus entry. The record states the affected versions, the attack vector (network via SMTP), the requirement for user interaction, and the impact to data integrity. NVD classifies the weakness as NVD-CWE-noinfo, so no more specific CWE should be inferred from the supplied corpus.

Official resources

CVE-2017-3247 CVE record
CVE.org
CVE-2017-3247 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry

Originally published by NVD/CVE on 2017-01-27. The supplied NVD record was last modified on 2026-05-13.