PatchSiren cyber security CVE debrief
CVE-2017-3310 Oracle CVE debrief
CVE-2017-3310 is a critical vulnerability in the Oracle Database Server OJVM component. Oracle and NVD describe it as easily exploitable by a low-privileged attacker with Create Session and Create Procedure privileges, reachable over the network via multiple protocols. Successful attacks require human interaction from someone other than the attacker and can result in takeover of OJVM, with potential impact to confidentiality, integrity, and availability. The affected supported versions named in the record are 11.2.0.4 and 12.1.0.2.
- Vendor
- Oracle
- Product
- CVE-2017-3310
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-27
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-27
- Advisory updated
- 2026-05-13
Who should care
Oracle Database administrators, DBAs, security teams, and application owners running affected Oracle Database Server releases with OJVM enabled should treat this as urgent. It is especially relevant where low-privileged database accounts exist with Create Session and Create Procedure privileges.
Technical summary
The NVD record classifies CVE-2017-3310 as a CVSS 3.0 9.0 issue with vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. The vulnerability affects Oracle Database Server OJVM on 11.2.0.4 and 12.1.0.2. Oracle’s advisory reference indicates it is network-reachable, easily exploitable, and that successful exploitation can compromise OJVM. The record also notes that attacks may significantly impact additional products and that human interaction by a person other than the attacker is required.
Defensive priority
Critical. Prioritize patching and exposure review immediately for any Oracle Database deployments matching the affected versions, especially where OJVM is present and low-privileged accounts can reach the vulnerable surface.
Recommended defensive actions
- Apply Oracle’s January 2017 Critical Patch Update referenced in the vendor advisory for affected systems.
- Identify Oracle Database installations running 11.2.0.4 or 12.1.0.2 and confirm whether OJVM is present.
- Review database accounts with Create Session and Create Procedure privileges and remove unnecessary permissions where possible.
- Verify that only authorized administrators can access affected database services and monitor for unusual database activity around OJVM-related operations.
- Track Oracle’s advisory and NVD entry for any updates or additional vendor guidance.
Evidence notes
All substantive claims are drawn from the NVD CVE record and the linked Oracle CPU advisory reference in the source corpus. The record states the affected versions, privilege prerequisites, network exposure, human-interaction requirement, CVSS vector, and impact scope. No exploit details or unsupported mitigation claims are included.
Official resources
-
CVE-2017-3310 CVE record
CVE.org
-
CVE-2017-3310 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
- Source reference
Publicly disclosed on 2017-01-27 per the CVE published date in the source record.