PatchSiren cyber security CVE debrief
CVE-2017-3259 Oracle CVE debrief
CVE-2017-3259 is a low-severity Oracle Java SE Deployment vulnerability that affects specific JDK/JRE releases and is relevant mainly to client-side Java deployments running untrusted code in a sandbox. According to NVD, successful exploitation can allow an unauthenticated network attacker to obtain unauthorized read access to a subset of Java SE accessible data. Oracle’s affected versions listed in NVD are Java SE 6u131, 7u121, and 8u112. The issue is not described as impacting server deployments that only run trusted code.
- Vendor
- Oracle
- Product
- CVE-2017-3259
- CVSS
- LOW 3.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Security teams and application owners who still support Oracle Java client deployments, especially Java Web Start applications, applets, or other sandboxed environments that load untrusted code from the network. Organizations running only trusted, server-side Java code are specifically called out as outside the intended impact scope in the source description.
Technical summary
NVD classifies the issue with CVSS v3.0 vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, reflecting network reachability, no privileges, no user interaction, high attack complexity, and limited confidentiality impact only. The affected CPEs in the source include Oracle JDK and JRE 1.6 update 131, 1.7 update 121, and 1.8 update 112. The weakness is recorded as NVD-CWE-noinfo, so the public source set does not specify a more precise CWE.
Defensive priority
Moderate for environments that still run legacy Java clients; otherwise low. The CVSS score is low, but the impact is relevant where older Oracle Java client runtimes remain deployed and are used to load untrusted content.
Recommended defensive actions
- Inventory Oracle Java SE client deployments and identify any systems still on 6u131, 7u121, or 8u112.
- Upgrade to a supported, non-vulnerable Java release that is newer than the affected versions listed by NVD.
- Review and reduce use of Java applets and Java Web Start where possible, especially for untrusted internet-delivered code.
- Apply Oracle’s January 2017 CPU updates or the corresponding downstream vendor advisories referenced in NVD if you still maintain legacy affected systems.
- Treat sandboxed client-side Java environments as higher priority than trusted server-side Java deployments for this CVE.
- Verify remediation against vendor advisories and your software inventory rather than relying on the CVSS score alone.
Evidence notes
All core claims are taken from the supplied NVD record and its Oracle-linked references. The record states affected versions 6u131, 7u121, and 8u112; describes the impact as unauthorized read access to a subset of Java SE accessible data; and narrows applicability to sandboxed Java Web Start/applications or applets that load untrusted code. The CVSS vector and score come directly from the NVD metadata. The NVD record was published on 2017-01-27 and later modified on 2026-05-13; the publication date is used as the CVE timing context, not the later modification date.
Official resources
Publicly disclosed in the Oracle January 2017 CPU and recorded by NVD on 2017-01-27.