Oracle Patches Spectre Flaw in x86 Servers

Oracle Patches Spectre Flaw in x86 Servers

Oracle has released its first update round of the year, which includes fixes for products affected by one of the recently disclosed Spectre CPU vulnerabilities.

The database giant had the following:

“The January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note.”

However, in reality, the update round only appears to patch one of the two Spectre vulnerabilities revealed in the first week of January: CVE-2017-5715.

It applies to Oracle x86 servers, with the following caveat:

“This includes Intel microcode that enables OS and VM level mitigations for CVE-2017-5715. Application of firmware patches to pick up the Intel microcode is required only for Oracle x86 servers using non-Oracle OS and Virtualization software. Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode.”

The firm is also thought to be prepping Spectre patches for Solaris on SPARCv9 systems.

Oracle will be hoping its Spectre fix doesn’t slow down systems as other patches have seemed to.

Research released by Barkly this week claimed that at half of the organizations the vendor spoke to, less than a quarter of machines had been patched — partly because of incompatibility problems between Windows and AV tools.

Oracle released a total of 237 fixes in this update round, slightly fewer than last quarter’s 252.

Some 153 vulnerabilities have been fixed by the vendor in business-critical applications, but the overall highest CVSS score (10.0) is in Sun ZFS Storage Appliance Kit, according to analysis from ERPScan.

“The most vulnerable application is Oracle Financials totalling 34. However, not only the number but the criticality of issues is alarming,” the firm continued. “Thirteen of them can be exploited over the network without entering user credentials. The most critical vulnerability [has a score of] CVSS 8.8.”

Source: Information Security Magazine