back to article Oracle still silent on Meltdown, but lists patches for x86 servers among 233 new fixes

Oracle still has nothing to say about whether the Meltdown or Spectre vulnerabilities are a problem for its hardware. Big Red today offered The Register another “no comment”, making it a notable absentee from the Intel’s list of x86 vendors’ advisories on how to handle the twin problems. Oracle of course also operates an x86 …

  1. Anonymous Coward
    Anonymous Coward

    Good old Oracle

    Keeping their hostages, I mean customers, informed as usual.

  2. Anonymous Coward
    Anonymous Coward

    The Spectre and Meltdown patches have been available for Oracle Linux (UEK and Red Hat Compatibility Kernel) for over a week now. For their x86 systems that use Oracle Linux, the OS patches at least are available.

    Meltdown is an Intel bug, so there are not reports of a Sparc vulnerability to this. Spectre is more general and seems likely to affect more architectures. See statements below.

    Two quotes from an Oracle Support ticket, reported by a customer on this forum post.

    https://community.oracle.com/thread/4110456?start=0&tstart=0

    "...

    Oracle is aware of the recently disclosed security vulnerabilities. Oracle is investigating the impact on the Oracle product line and will produce patches for any affected Oracle product.

    Patches for affected Oracle products will be announced on the Critical Patch Update page at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

    Oracle will not provide any additional information other than the patches announced in the mentioned CPU alerts.

    We will not provide advanced notification or additional details about the security vulnerability. Please review the Oracle policies for more information:

    + Oracle Security Vulnerability Disclosure Policies

    https://www.oracle.com/support/assurance/vulnerability-remediation/disclosure.html

    + Security Fixing Policies

    https://www.oracle.com/support/assurance/vulnerability-remediation/security-fixing.html

    Please check the CPU page including the Third Party Bulletin for updates. Solaris fixes (where applicable) will also be listed in the MOS note 1448883.1

    As of this moment neither the CPU nor the Third Party Bulletin or the MOS note 1448883.1 is listing additional information about the recent issues and Oracle will not provide any further information here (as explained above).

    ..."

    "...

    Oracle has developed fixes addressing the Intel processor design flaws leading to vulnerabilities CVE-2017-5753, CVE-2017-5754, and CVE-2017-5715. Oracle will deliver those fixes, if applicable, in accordance with Oracle’s security update policies. WHEN: 17/01/2018 4pm CET (GMT+1)

    ..."

    A single Google search reveals what they have already done, and why there have been no announcements prior to the regular quarterly Critical Patch Update (CPU) announcment...

    1. Anonymous Coward
      Anonymous Coward

      OVM patches also shipped.

      The el-errata and ovm-errata mailing lists usually give timely updates for releases.

      In this car the updates shipped first and anyone who wants updates for Oracle Linux or OrackeVM can just pick them up from yum.oracle.com.

  3. Anonymous Coward
    Anonymous Coward

    They're still working out the licensing costs.

  4. LDS Silver badge
    Joke

    "... the Cruise Fleet Management application ...."

    Now we know why they lost the America's Cup that way. The skipper was desperately trying to use those applications to plan for the races...

    Anyway cruise ships are now so large you need such kind of applications to manage everything and everyone on board. A couple of colleagues in a company I worked for usually had to take some short cruises when a new version was released, or to diagnose issues, poor lads. Inmarsat connections were too expensive, and the ship won't stay harboured for too long (but for scheduled maintenance).

    Just they would really need a backup captain to take the helm automatically when the main one thinks showing off past an island is a good PR stunt...

  5. DougMac

    SPARC doesn't seem to be affected..

    Unofficially, some Oracle people have stated that since SPARC runs kernel and user address space completely separate as part of the design of their ABI, that the same sorts of issues can't crop up.

  6. Anonymous Coward
    Anonymous Coward

    I wonder if this is significant ?

    Having noticed that somebody is already cyber-squatting quantumattack.com it looks as though there may be something more significant on solaceattack.com ...

  7. detuur
    Devil

    "Clear communication" is probably an optional extra that you can tick on the contract. It's on page 162 and requires extra signatures on pages 48, 198, 67 and 115 (in that order).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022