Oracle January 2018 Critical Patch Update also addresses Spectre and Meltdown

Oracle rolled out the January 2018 Critical Patch Update that includes 237 security fixes in its products, the majority of which is remotely exploitable without authentication.

The January 2018 Critical Patch Update also includes security updates that address Spectre and Meltdown vulnerabilities.

“The January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note (Doc ID 2347948.1).” reads the advisory published by Oracle. “This Critical Patch Update contains 237 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at January 2018 Critical Patch Update: Executive Summary and Analysis.”

The  January 2018 Critical Patch Update contains 13 new security fixes for the Oracle Sun Systems Products Suite that address 7 remotely exploitable issues.

Oracle updates include the fix for the Spectre CVE-2017-5715 vulnerability affecting its Oracle X86 Servers and Oracle VM VirtualBox. The security updates for Oracle X86 Servers include Intel microcode that allows mitigating the issue in OS and VM.

“Application of firmware patches to pick up the Intel microcode is required only for Oracle x86 servers using non Oracle OS and Virtualization software. Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode.” reads a note included in the advisory “Oracle OS and Oracle VM patches for CVE-2017-5715 will include updated Intel microcode,”

The advisory includes the full list of fixes along with affected products, the product with the largest number of fixes is Financial Services Applications (34 patches,  13 of them remotely exploitable without authentication).

The second product for the number of fixes is the Fusion Middleware with 27 fixes (21 of them remotely exploitable without authentication).

The third is MySQL with 25 fixes, 6 of which remotely exploitable.

Let’s close with the most severe issue, the  CVE-2018-2611 flaw rated with CVSS score 10 affects Sun ZFS Storage Appliance Kit (AK).


Pierluigi Paganini

(Security Affairs –Oracle, January 2018 Critical Patch Update)



The post Oracle January 2018 Critical Patch Update also addresses Spectre and Meltdown appeared first on Security Affairs.



Leave a Reply