Oracle says SPARCv9 has Spectre CPU bug, patches coming soon

Oracle has told users of its SPARC-powered platforms that they have the Spectre processor design flaw.

A support document buried in Oracle’s customers-only portal, but seen by The Register, states: “Oracle believes that certain versions of Oracle Solaris on SPARCv9 are affected by the Spectre vulnerabilities.”

The document, dated today, confirms “Oracle is working on producing the patches for all affected versions that are under Premier Support or Extended Support.”

There’s no mention of when Oracle will deliver the updates; the database goliath promises it will deliver them “upon successful completion of the testing of the patches.”

“Oracle will also investigate the performance impact of these patches,” the document continues, going on to remind customers “not to allow the installation of untrusted programs on affected systems” as these applications can exploit Spectre to extract sensitive information from vulnerable computers.

“Oracle also recommends that customers limit the number of privileged users (who have the ability to install and run code) and periodically review audit logs (to detect potentially abnormal activities)”, the document concludes.

The note also clears Solaris on SPARCv9 of the Meltdown design cockup.

Confirmation of Solaris and SPARC’s Spectre vulnerabilities comes as Oracle delivers its Meltdown/Spectre patches for its x86 servers.

The batch of fixes also states that “Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode,” which is a little odd as Oracle Linux and Oracle Virtualization have already received patches.

The Register asked Oracle for comment and was, again, told the biz has no comment to make.

We’ve also probed for the status of Oracle’s x86 cloud, and have seen posts in customer forums in which users say they’ve been advised of imminent disruptions to service as Big Red Meltdown-and-Spectre-proofs its infrastructure.

And now for the other 200-odd Big Red patches

News of the x86 patches landed among news of 222 other fixes on the January 2018 Big Red quarterly patch list.

The ten-out-of-ten-rated patch Oracle warned users of the Sun ZFS Storage Appliance Kit to prepare for earned its maximum rating by virtue of allowing complete takeover of storage appliances and a likely route into other devices for good measure. Scarily, it’s one of 135 fixes for problems that allow remote execution without authentication.

Other high-scoring bugs impact Oracle WebLogic Server, which has the 9.9-rated CVE-2017-10352 that could see an unauthenticated user crash the server over HTTP.

Oracle’s Communications apps have five 9.8-rated bugs, but all are in Apache software rather than Oracle’s own efforts. Indeed, Apache Log4j appears 21 times in Oracle’s list, making CVE-2017-5645 responsible for almost ten per cent of Big Red’s patch packet. Other inherited nasties include CVE-2017-5461, a 9.8-rated problem that’s present in NSS decoders and which is present in Oracle Directory Server Enterprise Edition and the iPlanet Web Server.

Users of the Micros MC40 Zebra Handheld unit – a gadget used by retailers for scanning and taking payments with a mag-stripe reader – can be attacked over Bluetooth and WiFi networks. At the time of writing there’s no detail available about CVE-2018-2697, but we mention it anyway in case some readers are nervous sailors because it impacts the Emergency Response System in Oracle’s Cruise Fleet Management application.

Java users have lots to ponder, with Java SE and Java SE embedded, plus the Java ME SDK installer, all scoring 7-and-8-rated bugs.

So what are you waiting for, Oracle users, other than SPARC patches? There’s surely something for almost all of you in this quarter’s patch trove. ®