Reply to post:

Oracle still silent on Meltdown, but lists patches for x86 servers among 233 new fixes

Anonymous Coward
Anonymous Coward

The Spectre and Meltdown patches have been available for Oracle Linux (UEK and Red Hat Compatibility Kernel) for over a week now. For their x86 systems that use Oracle Linux, the OS patches at least are available.

Meltdown is an Intel bug, so there are not reports of a Sparc vulnerability to this. Spectre is more general and seems likely to affect more architectures. See statements below.

Two quotes from an Oracle Support ticket, reported by a customer on this forum post.

https://community.oracle.com/thread/4110456?start=0&tstart=0

"...

Oracle is aware of the recently disclosed security vulnerabilities. Oracle is investigating the impact on the Oracle product line and will produce patches for any affected Oracle product.

Patches for affected Oracle products will be announced on the Critical Patch Update page at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Oracle will not provide any additional information other than the patches announced in the mentioned CPU alerts.

We will not provide advanced notification or additional details about the security vulnerability. Please review the Oracle policies for more information:

+ Oracle Security Vulnerability Disclosure Policies

https://www.oracle.com/support/assurance/vulnerability-remediation/disclosure.html

+ Security Fixing Policies

https://www.oracle.com/support/assurance/vulnerability-remediation/security-fixing.html

Please check the CPU page including the Third Party Bulletin for updates. Solaris fixes (where applicable) will also be listed in the MOS note 1448883.1

As of this moment neither the CPU nor the Third Party Bulletin or the MOS note 1448883.1 is listing additional information about the recent issues and Oracle will not provide any further information here (as explained above).

..."

"...

Oracle has developed fixes addressing the Intel processor design flaws leading to vulnerabilities CVE-2017-5753, CVE-2017-5754, and CVE-2017-5715. Oracle will deliver those fixes, if applicable, in accordance with Oracle’s security update policies. WHEN: 17/01/2018 4pm CET (GMT+1)

..."

A single Google search reveals what they have already done, and why there have been no announcements prior to the regular quarterly Critical Patch Update (CPU) announcment...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022