PatchSiren cyber security CVE debrief
CVE-2017-3253 Oracle CVE debrief
CVE-2017-3253 is a high-severity Oracle Java vulnerability in the 2D component that can let a network attacker cause a hang or repeatable crash, resulting in denial of service. Oracle’s CVE record and NVD list affected Java SE, Java SE Embedded, and JRockit releases, including Java SE 6u131, 7u121, 8u111/8u112, Java SE Embedded 8u111, and JRockit R28.3.12. The issue is described as exploitable through client and server deployments, including sandboxed Java Web Start applications and sandboxed Java applets.
- Vendor
- Oracle
- Product
- CVE-2017-3253
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Organizations that still run affected Oracle Java SE, Java SE Embedded, or JRockit builds, especially where Java Web Start, applets, or remotely supplied API input are accepted. Endpoint teams, application owners, and virtualization/container teams should care if legacy Java runtimes are present.
Technical summary
NVD classifies the flaw as CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting a network-reachable availability impact with no confidentiality or integrity impact. Oracle’s description says unauthenticated attackers with network access via multiple protocols can trigger a hang or frequently repeatable crash. The affected scope in the supplied record is limited to the Java 2D subcomponent and the listed Oracle runtime versions. NVD lists CWE as NVD-CWE-noinfo, so the corpus does not provide a more specific weakness category.
Defensive priority
High priority for any environment that still exposes or depends on the affected Java runtimes. Availability impact is significant, but the defensive response is typically patch-and-retire legacy Java where possible rather than emergency containment for code execution risk.
Recommended defensive actions
- Confirm whether any systems still run the affected Oracle Java SE, Java SE Embedded, or JRockit versions listed in the CVE record.
- Apply the Oracle CPU January 2017 fixes or later vendor-supported updates that remediate the issue.
- Prioritize removal or replacement of legacy Java deployments that require Java Web Start, applets, or other network-facing Java functionality.
- Inventory server-side Java services that accept remote input into the affected APIs and verify they are on patched runtimes.
- Monitor for repeated JVM crashes or hangs on systems running impacted Java versions and correlate with Java 2D usage.
- Validate third-party remediation guidance from downstream vendors referenced in the CVE record, such as Red Hat, Debian, Gentoo, and NetApp advisories.
Evidence notes
All statements are grounded in the supplied CVE and NVD corpus. The CVE was published on 2017-01-27T22:59:02.727Z. The supplied record names Oracle Java SE, Java SE Embedded, and JRockit; the affected versions listed in the corpus are Java SE 6u131, 7u121, 8u111, 8u112; Java SE Embedded 8u111; and JRockit R28.3.12. NVD assigns CVSS v3.0 7.5 High with vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The record also notes sandboxed Java Web Start applications, sandboxed Java applets, and direct API input as possible exposure paths. No KEV entry is present in the supplied enrichment.
Official resources
Publicly disclosed in the CVE record on 2017-01-27. The supplied corpus indicates later metadata modification on 2026-05-13, which is not the vulnerability date. No KEV designation is included in the supplied enrichment.