Oracle Issues Patches For Spectre & Meltdown Flaws

Oracle has released a huge number of security updates to tackle the Meltdown and Spectre chip flaws.

The patch covers Oracle’s extensive product portfolio including JDEdwards, MySQL Server, Oracle Database Server, Oracle Java SE, Siebel and PeopleSoft, to name but a few of the products patched.

The Oracle patch will add to the workload of system administrators, already battling to implement the various fixes from other vendors for the chip design flaws.

Oracle Patches

Oracle issued its critical patch update and said that system admins also need to consider any previous patches they have not already applied.

“The January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities,” it said.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the software giant added. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

The update contains patches for 237 Oracle products for Intel machines that are affected by the flaws.

Meanwhile the Register, citing a document in Oracle’s customer-only portal, reported that certain versions of Oracle Solaris on SPARCv9 are affected by one of the chip flaws (i.e. Spectre), and said that Oracle was working on a security patch for it.

However Oracle has reportedly declined to comment on that report.

Spectre, Meltdown

The Meltdown and Spectre vulnerabilities affect just about every single processor made over the past 20 years, and emergency fixes and mitigations have been be released for Windows, Mac, iOS and Android.

Chips made by ARM manufacturers and AMD are also impacted.

Essentially, the vulnerabilities affect the kernel of the chips and could allow an attacker to read information that should otherwise be inaccessible. This means an attacker could obtain passwords, encryption keys or steal information from other applications.

The tech industry has known has these flaws for some time now, as they were initially discovered by the Google Project Zero back in June last year, who then alerted all the affected vendors.

But when news of the flaws broke earlier this month, the industry seemed to be caught off guard, despite the fact that the flaws were going to be publicly disclosed on 9 January.

Last week Intel CEO Brian Krzanich used his keynote address at the Consumer Electronics Show (CES) in Las Vegas to assure customers that fixes would be released within a week. The chip giant is currently facing at least three class-action lawsuits over the matter.

Cybersecurity firm Malwarebytes has warned that scammers are issuing fake Spectre and Meltdown patches, in an effort to ensnare users with phishing scams.

Quiz: What do you know about Intel?