Data Centre

Servers

Oracle says SPARCv9 has Spectre CPU bug, patches coming soon

Big Red finally delivers patches for its x86 boxes – and 230-plus other problems

By Simon Sharwood, APAC Editor

35 SHARE

Oracle has told users of its SPARC-powered platforms that they have the Spectre processor design flaw.

A support document buried in Oracle’s customers-only portal, but seen by The Register, states: “Oracle believes that certain versions of Oracle Solaris on SPARCv9 are affected by the Spectre vulnerabilities.”

The document, dated today, confirms “Oracle is working on producing the patches for all affected versions that are under Premier Support or Extended Support.”

There’s no mention of when Oracle will deliver the updates; the database goliath promises it will deliver them “upon successful completion of the testing of the patches.”

“Oracle will also investigate the performance impact of these patches,” the document continues, going on to remind customers “not to allow the installation of untrusted programs on affected systems” as these applications can exploit Spectre to extract sensitive information from vulnerable computers.

“Oracle also recommends that customers limit the number of privileged users (who have the ability to install and run code) and periodically review audit logs (to detect potentially abnormal activities)”, the document concludes.

The note also clears Solaris on SPARCv9 of the Meltdown design cockup.

Confirmation of Solaris and SPARC’s Spectre vulnerabilities comes as Oracle delivers its Meltdown/Spectre patches for its x86 servers.

The batch of fixes also states that “Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode,” which is a little odd as Oracle Linux and Oracle Virtualization have already received patches.

The Register asked Oracle for comment and was, again, told the biz has no comment to make.

We’ve also probed for the status of Oracle’s x86 cloud, and have seen posts in customer forums in which users say they’ve been advised of imminent disruptions to service as Big Red Meltdown-and-Spectre-proofs its infrastructure.

And now for the other 200-odd Big Red patches

News of the x86 patches landed among news of 222 other fixes on the January 2018 Big Red quarterly patch list.

The ten-out-of-ten-rated patch Oracle warned users of the Sun ZFS Storage Appliance Kit to prepare for earned its maximum rating by virtue of allowing complete takeover of storage appliances and a likely route into other devices for good measure. Scarily, it’s one of 135 fixes for problems that allow remote execution without authentication.

Other high-scoring bugs impact Oracle WebLogic Server, which has the 9.9-rated CVE-2017-10352 that could see an unauthenticated user crash the server over HTTP.

Oracle’s Communications apps have five 9.8-rated bugs, but all are in Apache software rather than Oracle’s own efforts. Indeed, Apache Log4j appears 21 times in Oracle’s list, making CVE-2017-5645 responsible for almost ten per cent of Big Red’s patch packet. Other inherited nasties include CVE-2017-5461, a 9.8-rated problem that’s present in NSS decoders and which is present in Oracle Directory Server Enterprise Edition and the iPlanet Web Server.

Users of the Micros MC40 Zebra Handheld unit – a gadget used by retailers for scanning and taking payments with a mag-stripe reader – can be attacked over Bluetooth and WiFi networks. At the time of writing there’s no detail available about CVE-2018-2697, but we mention it anyway in case some readers are nervous sailors because it impacts the Emergency Response System in Oracle’s Cruise Fleet Management application.

Java users have lots to ponder, with Java SE and Java SE embedded, plus the Java ME SDK installer, all scoring 7-and-8-rated bugs.

So what are you waiting for, Oracle users, other than SPARC patches? There’s surely something for almost all of you in this quarter’s patch trove. ®

Sign up to our NewsletterGet IT in your inbox daily

35 Comments

More from The Register

Oracle still silent on Meltdown, but lists patches for x86 servers among 233 new fixes

Sun ZFS Storage Appliance users: brace for super-critical fix

Intel gives Broadwells and Haswells their Meltdown medicine

Chipzilla and Oracle are working their way back through time to deliver fixes

Azure VMs borked following Meltdown patch, er, meltdown

No ETA yet for West Europe machines

Creaking Chromebooks getting Meltdown protection soon

Chrome OS 66 to protect older Intel units, still working on ARM

Intel’s Meltdown fix freaked out some Broadwells, Haswells

Customers say PCs and servers reboot a lot after fixes. Meanwhile, AMD admits to Spectre problems

Win 7, Server 2008 'Total Meltdown' exploit lands, pops admin shells

Plus: Xen admins – you need to get patching your patches, too

Meltdown-and-Spectre-detector comes to Windows Analytics

After flubbing its early responses, Microsoft's thrown sysadmins a bone

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Meltdown/Spectre fixes made AWS CPUs cry, says SolarWinds

CPU utilization up, throughput down, but a second fix may have restored normal service

OpenBSD releases Meltdown patch

And now to see it's an unwelcome imposition or a mere inconvenience