CVE-2017-3249 Oracle CVE debrief

Who should care

Administrators and security teams running Oracle GlassFish Server 2.1.1, 3.0.1, or 3.1.2 should prioritize this issue, especially environments exposed to LDAP traffic or otherwise reachable from untrusted networks.

Technical summary

The NVD record identifies affected Oracle GlassFish Server versions 2.1.1, 3.0.1, and 3.1.2. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating a network-reachable, unauthenticated issue with low attack complexity and limited but meaningful confidentiality, integrity, and availability impact. The vulnerability is described as exploitable via LDAP.

Defensive priority

High. The issue is network-exploitable, requires no authentication, and affects core data confidentiality, integrity, and availability. Even though the CVSS score is below critical, exposed deployments should be treated as urgent patch candidates.

Recommended defensive actions

• Review whether Oracle GlassFish Server 2.1.1, 3.0.1, or 3.1.2 is deployed anywhere in the environment.
• Apply Oracle's January 2017 security update guidance for the affected GlassFish Server release(s) referenced in the vendor advisory.
• Restrict network access to LDAP-related services and to administrative interfaces to trusted hosts only.
• Monitor affected servers for unexpected data modification, deletion, or service degradation.
• Inventory downstream applications and middleware that bundle or depend on the affected GlassFish Server versions.
• Confirm remediation against the current Oracle and NVD records after patching.

Evidence notes

NVD lists the vulnerability in Oracle GlassFish Server, affected versions 2.1.1, 3.0.1, and 3.1.2, with CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L and severity HIGH (7.3). Oracle's January 2017 Critical Patch Update advisory is referenced by NVD as the vendor patch/advisory source. No exploit code or offensive reproduction details are included here.

Official resources