PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3272 Oracle CVE debrief

CVE-2017-3272 is a critical Oracle Java SE / Java SE Embedded vulnerability in the Libraries subcomponent. Oracle and NVD describe it as network-accessible, easy to exploit, and capable of full compromise in client-style Java deployments that rely on the sandbox, especially Java Web Start and applet use cases.

Vendor
Oracle
Product
CVE-2017-3272
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Organizations that still run Oracle Java SE or Java SE Embedded at the affected update levels, especially endpoints or desktops that execute sandboxed Java Web Start applications or applets from untrusted sources. Server deployments that only load trusted, administrator-installed code are called out in the source description as out of scope for the primary risk model.

Technical summary

The NVD record ties CVE-2017-3272 to Oracle Java SE / Java SE Embedded Libraries and marks affected CPEs for JDK/JRE 6u131, 7u121, 8u111, and 8u112. The published description says an unauthenticated attacker with network access can reach the flaw via multiple protocols, but successful exploitation requires user interaction and is most relevant to sandboxed client deployments that load untrusted code. NVD assigns CVSS v3.0 9.6 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating severe impact and scope change.

Defensive priority

Immediate. Treat as a high-priority Java client endpoint issue for any remaining affected Oracle Java deployments, especially systems that can still launch untrusted applets or Java Web Start content.

Recommended defensive actions

  • Identify endpoints and applications using Oracle Java SE or Java SE Embedded at the affected update levels listed in the NVD record (6u131, 7u121, 8u111, 8u112).
  • Prioritize patching or upgrading Java to a fixed release from the Oracle CPU for January 2017 or later supported updates.
  • Reduce exposure by removing or disabling legacy Java Web Start and applet usage where possible, especially for untrusted internet-delivered content.
  • Review whether any business applications still depend on sandboxed Java execution and replace or isolate them if they cannot be updated promptly.
  • Use vendor advisories and downstream package guidance to verify remediation on platforms that bundle Java, not just Oracle-provided installations.

Evidence notes

This debrief is based on the supplied NVD CVE record and its metadata. The record states the vulnerability affects Oracle Java SE / Java SE Embedded Libraries, lists affected CPEs, provides CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H with base score 9.6, and includes Oracle CPU January 2017 plus downstream vendor advisories in references. The source description also explicitly limits the main exposure to client-style deployments that load untrusted code and rely on the Java sandbox.

Official resources

CVE published 2017-01-27T22:59:03.337Z. The supplied source record was last modified by NVD on 2026-05-13T00:24:29.033Z; that is a record update date, not the vulnerability's original disclosure date.