PatchSiren cyber security CVE debrief

CVE-2017-3260 Oracle CVE debrief

CVE-2017-3260 is a high-severity Oracle Java SE issue in the AWT component that affects specific Java 7u121 and 8u112 client-side deployments. Oracle says exploitation is difficult, requires network access and user interaction, and can result in takeover of Java SE. The risk is concentrated in sandboxed Java Web Start applications or applets that load untrusted code; server deployments that only run trusted code are described as out of scope.

Vendor: Oracle
Product: CVE-2017-3260
CVSS: HIGH 8.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-27
Original CVE updated: 2026-05-13
Advisory published: 2017-01-27
Advisory updated: 2026-05-13

Who should care

Organizations that still run legacy Java client software should care most: endpoint teams, desktop/application owners, security teams, and anyone supporting Java Web Start, browser-facing applets, or other sandboxed Java deployments. Environments using Java only on servers for trusted code are not the primary target described in the source.

Technical summary

The source describes a vulnerability in Oracle Java SE’s AWT subcomponent affecting Java SE 7u121 and 8u112 (JDK/JRE). The attack model requires network access, user interaction, and can operate via multiple protocols. NVD lists CVSS v3.0 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) and marks the weakness as NVD-CWE-noinfo. Oracle’s description explicitly limits applicability to client deployments that run untrusted code under the Java sandbox.

Defensive priority

High for any environment still running the affected Java client versions, especially if sandboxed applets or Java Web Start are enabled. Priority is lower for server-only Java deployments that do not execute untrusted code, based on the source description.

Recommended defensive actions

Identify systems running Oracle Java SE/JRE/JDK 7u121 or 8u112 and confirm whether they are used for client-side execution of untrusted code.
Apply Oracle’s January 2017 CPU update or the equivalent downstream vendor package fix on affected systems.
Disable or remove Java browser/plugin, applet, and Java Web Start use where not required.
Restrict use of legacy Java runtimes to trusted applications only, and avoid running untrusted code in affected deployments.
Check downstream advisories from Debian, Gentoo, and NetApp for platform-specific package remediation guidance.

Evidence notes

Oracle’s advisory reference and the NVD record both tie the issue to Java SE AWT and the affected 7u121/8u112 JRE/JDK builds. The CVSS vector in NVD shows network attackability with user interaction required and high confidentiality, integrity, and availability impact. The source description specifically says the vulnerability applies to sandboxed client deployments that load untrusted code and does not apply to server deployments that only load trusted code. NVD’s weakness entry is NVD-CWE-noinfo, so the corpus does not provide a more specific CWE classification.

Official resources

CVE-2017-3260 CVE record
CVE.org
CVE-2017-3260 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly published on 2017-01-27T22:59:02.927Z. The 2026-05-13 modification timestamp in the supplied metadata reflects record updates, not the original vulnerability disclosure date. Oracle’s January 2017 CPU advisory is the vendor patch/