PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3289 Oracle CVE debrief

CVE-2017-3289 is a critical Oracle Java SE / Java SE Embedded vulnerability in Hotspot that affects specific Java 7 and 8 update levels. The supplied description says it is easily exploitable over the network, requires user interaction, and can lead to takeover of affected Java deployments that load untrusted code in sandboxed Java Web Start applications or applets. Oracle’s own January 2017 CPU is listed as the primary vendor advisory reference in the supplied NVD record.

Vendor
Oracle
Product
CVE-2017-3289
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Security teams and endpoint administrators responsible for Oracle Java SE, Java SE Embedded, JRE/JDK client deployments, especially systems that still run Java Web Start applications or browser-era applets that depend on the Java sandbox. Server deployments that only execute trusted, administrator-installed code are described as typically out of scope, but should still be version-checked.

Technical summary

The NVD record maps CVE-2017-3289 to Oracle Java SE and Java SE Embedded Hotspot, with affected versions including Java SE 7u121, Java SE 8u111 and 8u112, and Java SE Embedded 8u111. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (9.6). The vulnerability is network-accessible, unauthenticated, and requires human interaction from another person. Oracle’s description ties impact to client-side Java deployments that load untrusted code and rely on the sandbox for security.

Defensive priority

Immediate — critical risk for any still-supported or still-deployed affected Java client runtime.

Recommended defensive actions

  • Identify all Oracle Java SE, JRE, JDK, and Java SE Embedded installations and match them against the affected versions listed in the NVD record.
  • Prioritize endpoints that run Java Web Start applications, applets, or other sandbox-reliant client code that may load untrusted content.
  • Apply Oracle’s January 2017 CPU or a vendor-supported downstream package update that remediates this CVE.
  • Remove or disable legacy Java Web Start and applet workflows where possible, especially on user-facing systems.
  • Use vendor errata and distro-specific advisories referenced by NVD to confirm platform-specific remediation status across Red Hat, Debian, Gentoo, and other packaged distributions.
  • Verify that any Java runtime used on servers is limited to trusted, administrator-controlled code paths, and inventory it anyway to avoid stale vulnerable package versions.

Evidence notes

This debrief is based only on the supplied NVD/CVE metadata and the reference list included in the source item. The strongest direct evidence is the CVE description, which names the affected Oracle Java SE / Java SE Embedded Hotspot component, the impacted versions, the sandboxed client-use case, the network-access requirement, and the need for human interaction. The NVD record also provides the CVSS v3.0 vector and points to Oracle’s January 2017 CPU advisory plus downstream remediation references.

Official resources

Publicly disclosed on 2017-01-27T22:59:03.850Z. The supplied NVD record was later modified on 2026-05-13T00:24:29.033Z, which is record maintenance metadata and not the vulnerability issue date.