CVE-2017-3250 Oracle CVE debrief

Who should care

Administrators and security teams responsible for Oracle GlassFish Server or Oracle Fusion Middleware, especially systems exposed to network-accessible HTTP traffic.

Technical summary

NVD rates the issue CVSS 3.0 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps it to CWE-200. The record indicates the flaw is reachable over HTTP without authentication and can affect confidentiality, integrity, and availability of data accessible to GlassFish Server.

Defensive priority

High. The issue is network-reachable, requires no authentication, and the published impact includes unauthorized data access, data modification, and partial service denial.

Recommended defensive actions

• Review Oracle’s January 2017 Critical Patch Update advisory for GlassFish Server and apply the vendor’s remediation guidance.
• Inventory any instances running GlassFish Server 2.1.1, 3.0.1, or 3.1.2 and prioritize externally reachable HTTP deployments.
• Restrict network access to affected GlassFish interfaces until remediation is complete, especially admin and application endpoints.
• Check logs and application activity for unauthorized reads, writes, deletes, or service degradation during any exposure window.

Evidence notes

This debrief is based on the CVE record published on 2017-01-27 and the NVD entry, which was last modified on 2026-05-13. The NVD metadata lists affected CPEs, the CVSS vector, CWE-200, and references Oracle’s January 2017 CPU advisory and a SecurityFocus BID entry.

Official resources