Video: Meltdown-Spectre: A reminder to the IT industry that security is a mirage
Oracle has revealed that its first critical patch update for 2018 includes fixes for the widespread Meltdown and Spectre CPU speculative-execution flaws.
Oracle's January critical patch update addresses 237 flaws across its various product families, but most notably the update includes fixes for any Spectre and Meltdown exploits.
The update "provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities", Oracle says in the advisory.
Oracle has provided more information for customers with login details. The Register reports the private advisory says certain versions of Oracle Solaris on the Sparc V9 architecture are affected by Spectre.
Oracle doesn't yet have patches for either of the two Spectre bugs, Variant 1 and Variant 2 of the speculative execution attacks, but it is developing them for versions of Solaris on Sparc V9 under Premier Support or Extended Support. Solaris on Sparc V9 is not affected by Meltdown (Variant 3), which seems to affect only Intel chips and Arm's A-75 processor.
As with Microsoft, Google, AWS, and others impacted by the CPU bugs, Oracle promises to assess the performance impact of its patches. It also reminds customers not to run untrusted programs on affected systems. In the case of Meltdown, attackers who can run code on a system can access normally protected memory.
Oracle says in its public advisory that the Spectre attack CVE-2017-5715 -- known as Variant 2, which involves 'branch target injection' and is the main concern for virtualized cloud environments -- affects Oracle's Sun X86 Server BIOS.
Vendors have been fixing this bug with silicon microcode from Intel or using Google's software alternative Retpoline. Google and Microsoft have found considerable performance issues on CPUs fixed using silicon microcode for Variant 2.
Oracle says the Sun X86 Server update includes "Intel microcode that enables OS and VM-level mitigations for CVE-2017-5715".
"Application of firmware patches to pick up the Intel microcode is required only for Oracle x86 servers using non-Oracle OS and virtualization software. Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode."
Download now: Intrusion detection policy
This bug also affects Oracle's VM VirtualBox hypervisor for Intel and AMD systems.
IBM yesterday also updated its guidance for Power CPUs affected by the attacks. Its firmware updates for Power7+ and Power8 CPUs, with Power9 are already available, while patches for Power7 are due on February 7. Customers also need to apply appropriate operating system updates to be fully protected.
While Linux patches are already out, IBM is accelerating its operating system patches, which were originally due out on February 12. The IBM i OS patches are available now through IBM's FixCentral support page while its AIX patches will be available from January 26. Both OS patches will continue to be rolled out until February 12.
IBM also says its storage appliances aren't affected by Spectre and Meltdown attacks, even though they contain processors that are vulnerable. IBM says its Storage Appliances are not impacted because they're closed systems that only execute code from IBM. The company is still considering firmware updates for these appliances.
Previous and related coverage
Criminals have yet to exploit Meltdown and Spectre, but they're playing on users' uncertainties about the CPU flaws in their malware and phishing schemes.
Fixing the security flaws is causing errors to pop up elsewhere for some companies.
Now Linux distributions get hit by Meltdown patch issues.
Antivirus firms are playing patch catch-up, as Microsoft releases Meltdown firmware updates for Surface devices.
Older Broadwell and Haswell chips have been taking a hit from Intel's CPU patch.