Oracle Security Team

Subscribe to Oracle Security Team feed
Oracle Blogs
Updated: 1 month 1 week ago

RAMBleed DRAM Vulnerabilities

Tue, 2019-06-11 12:00

On June 11th, security researchers published a paper titled “RAMBleed Reading Bits in Memory without Accessing Them”.  This paper describes attacks against Dynamic Random Access Memory (DRAM) modules that are already susceptible to Rowhammer-style attacks.

The new attack methods described in this paper are not microprocessor-specific, they leverage known issues in DRAM memory.  These attacks only impact DDR4 and DDR3 memory modules, and older generations DDR2 and DDR1 memory modules are not vulnerable to these attacks.

While the RAMBleed issues leverage RowHammer, RAMBleed is different in that confidentiality of data may be compromised: RAMBleed uses RowHammer as a side channel to discover the values of adjacent memory. 

Please note that successfully leveraging RAMBleed exploits require that the malicious attacker be able to locally execute malicious code against the targeted system. 

At this point in time, Oracle believes that:

  • All current and many older families of Oracle x86 (X5, X6, X7, X8, E1) and Oracle SPARC servers (S7, T7, T8, M7, M8) employing DDR4 DIMMs are not expected to be impacted by RAMBleed.  This is because Oracle only employs DDR4 DIMMs that have implemented the Target Row Refresh (TRR) defense mechanism against RowHammer.  Oracle’s memory suppliers have stated that these implementations have been designed to be effective against RowHammer. 
  • Older systems making use of DDR3 memory are also not expected to be impacted by RAMBleed because they are making use of a combination of other RowHammer mitigations (e.g., pseudo-TRR and increased DIMM refresh rates in addition to Error-Correcting Code (ECC)).  Oracle is currently not aware of any research that would indicate that the combination of these mechanisms would not be effective against RAMBleed. 
  • Oracle Cloud Infrastructure (OCI) is not impacted by the RAMBleed issues because OCI servers only use DDR4 memory with built-in defenses as previously described.  Exadata Engineered Systems use DDR4 memory (X5 family and newer) and DDR3 memory (X4 family and older).
  • Finally, Oracle does not believe that additional software patches will need to be produced to address the RAMBleed issues, as these memory issues can be only be addressed through hardware configuration changes.  In other words, no additional security patches are expected for Oracle product distributions.
For more information about Oracle Corporate Security Practices, see https://www.oracle.com/corporate/security-practices/

Securing the Oracle Cloud

Wed, 2019-05-29 09:01

Greetings from sunny Seattle! My name is Eran Feigenbaum and I am the Chief Information Security Officer for the Oracle Cloud. Oracle Cloud Infrastructure (OCI) is what we call a Gen2 cloud, a fundamentally re-designed public cloud, architected for superior customer isolation and enterprise application performance than the cloud designs of ten years past. OCI is the platform for Autonomous Data Warehouse and Autonomous Transaction Processing  and, in short order, for all Oracle applications  (see Oracle CEO Mark Hurd on moving NetSuite to the Oracle Cloud),.  This is my inaugural post on our relaunched corporate security blog (thank you Mary Ann) and I’m thrilled to begin a substantive discussion with you about public cloud security. But first things first, with this blog I will describe how my group is organized and functions to protect the infrastructure for the literally thousands of applications and services moving to and continuously being developed on Oracle OCI.

My journey to Oracle was paved on over two decades-worth of experience in security. I was lucky to experience the cloud evolution from all sides in my various roles as pen tester, architect, cloud provider and cloud customer. Certainly, the core set of learnings came from nearly a decade of leading security for what is now Google Cloud. This was during a time when cloud business models were very much in their infancy, as were the protection mechanisms for customer isolation. Later, I would understand the challenges differently as the CISO of an e-commerce venture. Jet.com was a cloud-native business, so while we had no physical data centers, I understood well the limitations of first-generation cloud designs in dealing with cloud-borne threats and data protection requirements. So, when it came to joining OCI, the decision was an easy one. In its Gen2 offering, I saw that Oracle was building the future of enterprise cloud; a place where “enterprise-grade” had meaningful payoff in architecture choices like isolated network virtualization to control threat proliferation and as importantly, DevSecOps was foundational to OCI, not a transformation challenge. What security leader would not want to be a part of that?

OCI distinguishes itself among cloud providers for having predictable performance and a security-first design, so most of our customers are organizations with high sensitivity to data and information protection. They are building high performance computing applications, and that includes our Oracle internal customers, so security must be continuous, ubiquitous, agile and above all scalable. By extension then, the OCI Security Group is in many ways the modern Security Operations Center (SOC). Our job is to enable the continuous integration and continuous deployment (CI/CD) pipeline.

In building the team, I aimed at three main goals: 1) build a complete organization that could address not only detection and response but proactively ensure the security of services developed and deployed on OCI, 2) create a culture and operating practice of frequent communication and metrics sharing among teams to ensure continuous goal evaluation and 3) align with the practices that Oracle’s corporate security teams had set and refined over four decades of protecting customers’ most sensitive data.

To that end the Chief Security Office at Oracle Cloud Infrastructure (OCI) consists of six (6) teams. Between these six (6) teams, the OCI Security Group provides a comprehensive and proactive set of security services, technologies, guidance, and processes that ensure a good security posture and address security risks.

  • Security Assurance: Works collaboratively with the security teams and stakeholders throughout Oracle to drive the development and deployment of security controls, technologies, processes, and guidance for those building on OCI.
  • Product Security: This team really examines and evolves the OCI architecture, both hardware and software/services, to ensure we are taking advantage of innovations and making those changes that enhance our security posture.
  • Offensive Security: The work of this team is really to understand and emulate the methods of bad actors. Some of the work involves research, penetration testing and simulating advanced threats, against our hardware and software. All work is about strengthening our architecture and defensive capability.
  • Defensive Security: These are really the first responders of cloud security. They work proactively to spot weaknesses and in the event of incidents, work to remediate them within the shortest possible window.
  • Security Automation Services: We know that automation is fundamental to scaling but it is also key to shortening detection and response time. The team aggregates and correlates information about risks and methods to develop visualizations and tools that expedite risk reduction.
  • Security Go-To-Market: One of the most common requests of me is to share information on our security architecture, methods, tooling and best practices. Our internal and external customers want reference architectures and information on how to benefit from our experience. Having this function as part of the group gives the team access to ground truth and aligns with a core value to “put customers first”.

While the team organization is set up for completeness of function in service to the CI/CD pipeline, the key to achieving continuous security and security improvement is how well all members operate as a unit. I think of each team as being essential to the others. Each area generates intelligence that informs the other units and propels them in a kind of virtuous cycle with security automation enabling accelerated revolutions through this cycle.

 Functionally interdependent and mission aligned

As Oracle engineers, for instance, plan for the re-homing or development of new applications and services on OCI, our security architecture works with them. Throughout the drawing board and design phases, we advise on best practices, compliance considerations, tooling and what the process for continuous security will look like during the integration and deployment phases. Security assurance personnel, experts in code review best practices, give guidance and create awareness about the benefits of a security mindset for code development. At time of implementation and execution, the offensive security team conducts tests looking for weaknesses and vulnerabilities which will be surfaced both to the development teams as well as to our defensive security teams for both near term and long-term strategic remediation. This process is continuous as changes and updates can quickly alter the security posture of an environment or an application, so our aim is rapid response and most importantly refining practices and processes that will reduce the risk from those same vulnerabilities for the long term. This latter includes continuous security awareness training so that a security mindset is the cultural norm even as we scale and grow at a rapid pace.

Agility and scale in security are an imperative for a cloud operator, especially one at Oracle’s size and scope which attracts the most security sensitive businesses, governments and organizations. Our approach to security automation applies to nearly every activity and process of OCI security. We observe that which can be replicated and actioned either without human intervention or through self service mechanisms. Automation provides innovations and tooling that help not only our OCI security group but internal security stakeholders and even customers. Through visibility and self-service mechanisms, we make developers and service owners part of the OCI security mission and consequently improve our ability to maintain consistent security.

I mentioned at the beginning of this post that key to security effectiveness is not only an organizational structure built for the modern cloud but also security functional areas that are interdependent and in constant communication. One of the best ways that I have found to do this in my career managing large teams is through the Objective and Key Results (OKR) process. Similar, to Key Performance Indicators (KPIs), OKRs enable measurement of success or failure, but unlike KPIs, Objectives and Key Results (OKRs) encourage leaders, teams and contributors to make big bets, stretch beyond what seems merely achievable toward what can be revolutionary. In his seminal book Measure What Matters (of which I talk about to anyone who will listen), John Doerr outlines the structure by which agile enterprises stay aligned to mission even as they adjust to account for changes in business conditions. The key results will confirm if the direction is correct or needs adjusting. The teams of the OCI Security group stay aligned and informed by one another through the OKR system. The focus on cross communication, deduplication and realignment give us visibility to the incremental improvements and successes.

With this description of the OCI Security Group, I’ve given you some insights to how we secure the industry’s most technically advanced public cloud. Over the next months, I am eager to delve deeper on the architecture choices and innovations that set us apart. Let the journey of getting to know OCI security begin!

 

 

 

 

Intel Processor MDS Vulnerabilities: CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and ...

Tue, 2019-05-14 11:59

Today, Intel disclosed a new set of speculative execution side channel vulnerabilities, collectively referred as “Microarchitectural Data Sampling” (MDS).  These vulnerabilities affect a number of Intel processors and have received four distinct CVE identifiers to reflect how they impact the different microarchitectural structures of the affected Intel processors:

  • CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
  • CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) 
  • CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)
  • CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)

While vulnerability CVE-2019-11091 has received a CVSS Base Score of 3.8, the other vulnerabilities have all been rated with a CVSS Base Score of 6.5.   As a result of the flaw in the architecture of these processors, an attacker who can execute malicious code locally on an affected system can compromise the confidentiality of data previously handled on the same thread or compromise the confidentiality of data from other hyperthreads on the same processor as the thread where the malicious code executes.  As a result, MDS vulnerabilities are not directly exploitable against servers that do not allow the execution of untrusted code.

These vulnerabilities are collectively referred as Microarchitectural Data Sampling issues (MDS issues) because they refer to issues related to microarchitectural structures of the Intel processors other than the level 1 data cache.  The affected microarchitectural structures in the affected Intel processors are the Data Sampling Uncacheable Memory (uncacheable memory on some microprocessors utilizing speculative execution), the store buffers (temporary buffers to hold store addresses and data), the fill buffers (temporary buffers between CPU caches), and the load ports (temporary buffers used when loading data into registers).  MDS issues are therefore distinct from the previously-disclosed Rogue Data Cache Load (RDCL) and L1 Terminal Fault (L1TF) issues.

Effectively mitigating these MDS vulnerabilities will require updates to Operating Systems and Virtualization software in addition to updated Intel CPU microcode. 

While Oracle has not yet received reports of successful exploitation of these issues “in the wild,” Oracle has worked with Intel and other industry partners to develop technical mitigations against these issues.

In response to these MDS issues:

Oracle Hardware:

  • Oracle recommends that administrators of x86-based Systems carefully assess the impact of the MDS flaws for their systems and implement the appropriate security mitigations.  Oracle will provide specific guidance for Oracle Engineered Systems.
  • Oracle has determined that Oracle SPARC servers are not affected by these MDS vulnerabilities.

Oracle Operating Systems (Linux and Solaris) and Virtualization:

  • Oracle has released security patches for Oracle Linux 7, Oracle Linux 6 and Oracle VM Server for X86 products.  In addition to OS patches, customers should run the current version of the Intel microcode to mitigate these issues. In certain instances, Oracle Linux customers can take advantage of Oracle Ksplice to apply these updates without needing to reboot their systems.
  • Oracle has determined that Oracle Solaris on x86 is affected by these vulnerabilities.  Customers should refer to Doc ID 2540621.1  for additional information.
  • Oracle has determined that Oracle Solaris on SPARC is not affected by these MDS vulnerabilities.

Oracle Cloud:

  • The Oracle Cloud Security and DevOps teams continue to work in collaboration with our industry partners on implementing mitigations for these MDS vulnerabilities that are designed to protect customer instances and data across all Oracle Cloud offerings: Oracle Cloud (IaaS, PaaS, SaaS), Oracle NetSuite, Oracle GBU Cloud Services, Oracle Data Cloud, and Oracle Managed Cloud Services. 
  • Oracle will inform Cloud customers using the normal maintenance notification mechanisms about required maintenance activities as additional mitigating controls continue to be implemented in response to the MDS vulnerabilities.
  • Oracle has determined that the MDS vulnerabilities will not impact a number of Oracle's cloud services.  They include Autonomous Data Warehouse service, which provides a fully managed database optimized for running data warehouse workloads, and Oracle Autonomous Transaction Processing service, which provides a fully managed database service optimized for running online transaction processing and mixed database workloads.  No further action is required by customers of these services as both were found to require no additional mitigating controls based on service design to prevent the exploitation of the MDS vulnerabilities.  
  • Bare metal instances in Oracle Cloud Infrastructure (OCI) Compute offer full control of a physical server and require no additional Oracle code to run.  By design, the bare metal instances are isolated from other customer instances on the OCI network whether they be virtual machines or bare metal.  However, for customers running their own virtualization stack on bare metal instances, the MDS vulnerability could allow a virtual machine to access privileged information from the underlying hypervisor or other VMs on the same bare metal instance.  These customers should review the Intel recommendations about these MDS vulnerabilities and make the recommended changes to their configurations.

As previously anticipated, we continue to expect that new techniques leveraging speculative execution flaws in processors will continue to be disclosed.  These issues are likely to continue to impact primarily operating systems and virtualization platforms and addressing these issues will likely continue to require software update and microcode update.  Oracle therefore recommends that customers remain on current security release levels, including firmware, and applicable microcode updates (delivered as Firmware or OS patches), as well as software upgrades.

 

For more information:

Oracle Linux customers can refer to the bulletins located at https://linux.oracle.com/cve/CVE-2019-11091.html, https://linux.oracle.com/cve/CVE-2018-12126.html, https://linux.oracle.com/cve/CVE-2018-12130.html, https://linux.oracle.com/cve/CVE-2018-12127.html

For information about the availability of Intel microcode for Oracle hardware, see Intel MDS vulnerabilities (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127: Intel Processor Microcode Availability (Doc ID 2540606.1) and Intel MDS (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130 and CVE-2018-12127) Vulnerabilities in Oracle x86 Servers (Doc ID 2540621.1)

Oracle Solaris customers should refer to Intel MDS Vulnerabilities (CVE-2019-11091, CVE-2018-12126, CVE-2018-12130, and CVE-2018-12127): Oracle Solaris Impact (Doc ID 2540522.1)

Oracle Cloud Infrastructure (OCI) customers should refer to https://docs.cloud.oracle.com/iaas/Content/Security/Reference/MDS_response.htm 

 

Security Alert CVE-2019-2725 Released

Fri, 2019-04-26 12:43

Oracle has just released Security Alert CVE-2019-2725.  This Security Alert was released in response to a recently-disclosed vulnerability affecting Oracle WebLogic Server.  This vulnerability affects a number of versions of Oracle WebLogic Server and has received a CVSS Base Score of 9.8.  WebLogic Server customers should refer to the Security Alert Advisory for information on affected versions and how to obtain the required patches. 

 

Please note that vulnerability CVE-2019-2725 has been associated in press reports with vulnerabilities CVE-2018-2628, CVE-2018-2893, and CVE-2017-10271.  These vulnerabilities were addressed in patches released in previous Critical Patch Update releases.

 

Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible.

 

For more information:

The Security Alert advisory is located at  https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html 

The October 2017 Critical Patch Update advisory is located at https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html

The April 2018 Critical Patch Update advisory is located at https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

The July 2018 Critical patch Update advisory is located at https://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Oracle Linux certified under Common Criteria and FIPS 140-2

Wed, 2019-04-24 08:40

Oracle Linux 7 has just received both a Common Criteria (CC) Certification which was performed against the National Information Assurance Partnership (NIAP) General Purpose Operating System Protection Profile (OSPP) v4.1 as well as a FIPS 140-2 validation of its cryptographic modules.  Oracle Linux is currently one of only two operating systems – and the only Linux distribution – on the NIAP Product Compliant List. 

U.S. Federal procurement policy requires IT products sold to the Department of Defense (DoD) to be on this list; therefore, Federal cloud customers who select Oracle Cloud Infrastructure can now opt for a NIAP CC-certified operating system that also includes FIPS 140-2 validated cryptographic modules, by making Oracle Linux 7 the platform for their cloud services solution.

Common Criteria Certification for Oracle Linux 7

The National Information Assurance Partnership (NIAP) is “responsible for U.S. implementation of the Common Criteria, including management of the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body.”(See About NIAP at https://www.niap-ccevs.org/ )

The Operating Systems Protection Profile (OSPP) series are the only NIAP-approved Protection Profiles for operating systems. “A Protection Profile is an implementation-independent set of security requirements and test activities for a particular technology that enables achievable, repeatable, and testable (CC) evaluations.”  They are intended to “accurately describe the security functionality of the systems being certified in terms of [CC] and to define functional and assurance requirements for such products.”  In other words, the OSPP enables organizations to make an accurate comparison of operating systems security functions. (For both quotations, see NIAP Frequently Asked Questions (FAQ) at https://www.niap-ccevs.org/Ref/FAQ.cfm)

In addition, products that certify against these Protection Profiles can also help you meet certain US government procurement rules.  As set forth in the Committee on National Security Systems Policy (CNSSP) #11, National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology Products (published in June 2013), “All [common off-the-shelf] COTS IA and IA-enabled IT products acquired for use to protect information on NSS shall comply with the requirements of the NIAP program in accordance with NSA-approved processes.”  

Oracle Linux is now the only Linux distribution on the NIAP Product Compliant List.  It is one of only two operating systems on the list.

You may recall that Linux distributions (including Oracle Linux) have previously completed Common Criteria evaluations (mostly against a German standard protection profile), these evaluations are now limited because they are only officially recognized in Germany and within the European SOG-IS agreement. Furthermore, the revised Common Criteria Recognition Arrangement (CCRA) announcement on the CCRA News Page from September 8th 2014, states that “After September 8th 2017, mutually recognized certificates will either require protection profile-based evaluations or claim conformance to evaluation assurance levels 1 through 2 in accordance with the new CCRA.”  That means evaluations conducted within the CCRA acceptance rules, such as the Oracle Linux 7.3 evaluation, are globally recognized in the 30 countries that have signed the CCRA. As a result, Oracle Linux 7.3 is the only Linux distribution that meets current US procurement rules.

It is important to recognize that the exact status of the certifications of operating systems under the NIAP OSPP has significant implications for the use of cloud services by U.S. government agencies.  The Federal Risk and Authorization Management Program (FedRAMP) website states that it is a “government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.” For both FedRamp Moderate and High, the SA-4 Guidance states “The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.

FIPS 140-2 Level 1 Validation for Oracle Linux 6 and 7

In addition to the Common Criteria Certification, Oracle Linux cryptographic modules are also now FIPS 140-2 validated. FIPS 140-2 is a prerequisite for NIAP Common Criteria evaluations. “All cryptography in the TOE for which NIST provides validation testing of FIPS-approved and NIST-recommended cryptographic algorithms and their individual components must be NIST validated (CAVP and/or CMVP). At a minimum an appropriate NIST CAVP certificate is required before a NIAP CC Certificate will be awarded.” (See NIAP Policy Letter #5, June 25, 2018 at https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/policy-ltr-5-update3.pdf )

FIPS is also a mandatory standard for all cryptographic modules used by the US government. “This standard is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106.” (See Cryptographic Module Validation Program; What Is The Applicability Of CMVP To The US Government? at https://csrc.nist.gov/projects/cryptographic-module-validation-program ).

Finally, FIPS is required for any cryptography that is a part of a FedRamp certified cloud service. “For data flows crossing the authorization boundary or anywhere else encryption      is required, FIPS 140 compliant/validated cryptography must be employed. FIPS 140 compliant/validated products will have certificate numbers. These certificate numbers will be required to be identified in the SSP as a demonstration of this capability. JAB TRs will not authorize a cloud service that does not have this capability.” (See FedRamp Tips & Cues Compilation, January 2018, at https://www.fedramp.gov/assets/resources/documents/FedRAMP_Tips_and_Cues.pdf ).

Oracle includes FIPS 140-2 Level 1 validated cryptography into Oracle Linux 6 and Oracle Linux 7 on x86-64 systems with the Unbreakable Enterprise Kernel and the Red Hat Compatible Kernel. The platforms used for FIPS 140 validation testing include Oracle Server X6-2 and Oracle Server X7-2, running Oracle Linux 6.9 and 7.3. Oracle “vendor affirms” that the FIPS validation is maintained on other x86-64 equivalent hardware that has been qualified in its Oracle Linux Hardware Certification List (HCL), on the corresponding Oracle Linux releases.

Oracle Linux cryptographic modules enable FIPS 140-compliant operations for key use cases such as data protection and integrity, remote administration (SSH, HTTPS TLS, SNMP, and IPSEC), cryptographic key generation, and key/certificate management.

Federal cloud customers who select Oracle Cloud Infrastructure can now opt for a NIAP CC-certified operating system (that also includes FIPS 140-2 validated cryptographic modules) by making Oracle Linux 7 the bedrock of their cloud services solution.

Oracle Linux is engineered for open cloud infrastructure. It delivers leading performance, scalability, reliability, and security for enterprise SaaS and PaaS workloads as well as traditional enterprise applications. Oracle Linux Support offers access to award-winning Oracle support resources and Linux support specialists, zero-downtime updates using Ksplice, additional management tools such as Oracle Enterprise Manager and lifetime support, all at a low cost.

For a matrix of Oracle security evaluations currently in progress as well as those completed, please refer to the Oracle Security Evaluations.

Visit Oracle Linux Security to learn how Oracle Linux can help keep your systems secure and improve the speed and stability of your operations.

 

April 2019 Critical Patch Update Released

Tue, 2019-04-16 01:00

Oracle today released the April 2019 Critical Patch Update. 

This Critical Patch Update provides security updates for a wide range of product families, including: Oracle Database Server, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Industry Applications (Construction and Engineering, Communications, Financial Services, Hospitality, Food & Beverage, Retail, Utilities), Oracle Java SE, Oracle Virtualization, Oracle MySQL, and Oracle Sun Systems Products Suite.

For more information about this Critical Patch Update, customers should refer to the Critical Patch Update Advisory located at https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html and the executive summary published on My Oracle Support (Doc ID. 2494878.1). 

For more information about the Critical Patch Update program, see the security vulnerability remediation practices page located on Oracle’s corporate security practices site.

Welcome to Oracle’s corporate security blog

Mon, 2019-04-08 10:31

Hi, all! My name is Mary Ann Davidson and I am the Chief Security Officer for Oracle. I’m the first contributor to our relaunched corporate security blog. Having many different security voices contribute to this blog will help our customers understand the breadth of security at Oracle - across multiple organizations and multiple lines of business. Security at Oracle is way too big (and too important) to be constrained to one person or even one organization. This blog entry will describe how security is organized at Oracle and what my organization does specifically.

When I joined Oracle (and before I started working in security), we were just beginning to build “Oracle Financials” – at the time, general ledger, purchasing and payables applications - which have long since expanded to a huge portfolio of business applications. Since then, we’ve continued to grow: more business applications, middleware, operating systems, engineered systems, industry solutions (e.g., construction, retail, hospitality, financial services) and of course, many clouds (infrastructure as a service (IaaS), platform as a service (PaaS) and Software as a Service (SaaS) - business applications we run for our customers). Plus databases, of course!

The amount of diversity we have in terms of our product and service portfolio has a significant impact from a security perspective. The first one is pretty obvious: nobody can be an expert on absolutely everything in security (and even if one person were an expert on everything, there isn’t enough time for one person to be responsible for securing absolutely everything, everywhere in Oracle). The second is also obvious: security must be a cultural value, because you can never hire enough security experts to look over the shoulders of everyone else to make sure they are doing whatever they do securely. As a result, Oracle has adopted a decentralized security model, albeit with corporate security oversight: “trust, but verify.”

With regard to our core business, security expertise remains in development. By that I mean that development organizations are responsible for the security-worthiness of what they design and build, and in particular, security has to be “built in, not bolted on” since security doesn’t work well (if at all) as an afterthought. (As I used to say when I worked in construction management in the US Navy, “You can’t add rebar after the concrete has set.”)

Security oversight falls under the following main groups at Oracle: Global Physical Security (facility security, investigations, executive protection, etc.), Global Information Security (the “what” we do as a company in terms of corporate security policies, including compliance, forensic investigations, etc.), Corporate Security Architecture (review and approval prior to systems going live to ensure they are securely architected), and Global Product Security, which is my team.

I mentioned I am the CSO for Oracle but really, that would be better categorized as “Chief Security Assurance Officer.” What does assurance at Oracle encompass? In essence, that everything we build – hardware and software products, services, and consulting engagements – has security built in and maintains a lifecycle of security. In order to do that, my team has developed an extensive program – from “what” we do to “how” we do it – including verifying that “we did what we are supposed to do.” The “what” includes secure coding and secure development standards, covering not only “don’t do X,” but “here’s how to do Y.” We train many people in development organizations on these standards (e.g., not only developers but quality assurance (QA) people and doc writers, some of whom write code samples that we obviously want to reflect secure coding practice). We have more extensive, tailored training tracks, as well. Our secure development requirements also include architectural risk analysis (ARA), since people building systems (or even features within systems) need to think about the type of threats the system will be subjected to and design with those threats in mind.  These programs and activities are collectively known as Oracle Software Security Assurance (OSSA).

One of the ways we decentralize security is by identifying and appointing people in development and consulting organizations to be our “security boots on the ground.” Specifically, we have around 60 senior Security Leads and over 1,700 Security Points Of Contact (SPOCs) that implement Oracle Software Security Assurance programs across a multiplicity of development organizations and consulting.

Development teams are required to use various security analysis and testing tools, including both static and dynamic analysis, to triage the security bugs found and to attempt to fix the worst issues the quickest. We use a lot of different tools to do this, since no one tool works equally well for all types of code. We also build tools in-house to help us find security problems (e.g., a static analysis tool called Parfait, built by Oracle Labs, which we optimize for use within Oracle). Other tools are developed by the ethical hacking team (EHT), e.g., the wonderfully-named SQL*Splat, which fuzzes PL/SQL code.

The EHT’s job is to attempt to break our products and services before “real” bad guys do, and in particular to capture “larger lessons learned” from the results of the EHT’s work, so we can share those observations (e.g., via a new coding standard or an automated tool) across multiple teams in development. I’m also pleased to note that the EHT’s skills are so popular that a number of development groups in Oracle have stood up their own EHTs.

My team also includes people who manage security vulnerabilities: the SecAlert team, who manage the release of our quarterly critical path updates (CPUs), and the Security Alert program, as well as engaging with the security researcher community.

Lastly, we have a team of security evaluators who take selected products and services through international Criteria (ISO-15408) and U.S Federal Information Processing (FIPS)-140 certifications: another way we “trust, but verify.”

Security assurance is not only increasingly important – think of the bazillions of Internet of Things devices as people insist on implanting sensors in absolutely everything - but increasingly asked about by customers who want to know “how did you build – and manage – this product or service?” That is another reason we make sure we can measure what teams across the company are doing or not doing in assurance and help uplift those who need to do better.

In the future, we will be publishing more blog entries to discuss the respective roles of security oversight teams, as well as the security work of operational and development teams. “Many voices” will illustrate the breadth and width of security at Oracle, and how seriously we take it. On a personal note, I look forward to reading about the great work my many valued colleagues at Oracle are doing to continue to make security rock solid, and a core cultural value.

January 2019 Critical Patch Update Released

Tue, 2019-01-15 14:59

Oracle today released the January 2019 Critical Patch Update.

This Critical Patch Update provides security updates for a wide range of product families, including: Oracle Database Server, Oracle Golden Gate, Oracle Big Data Graph, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Industry Applications (Construction, Communications, Financial Services, Hospitality, Insurance, Retail), Oracle Java SE, Oracle Virtualization, Oracle MySQL, and Oracle Sun Systems Products Suite.

For more information about this Critical Patch Update, customers should refer to the Critical Patch Update Advisory located at https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html and the executive summary published on My Oracle Support (Doc ID  2489117.1).  

January 2019 Critical Patch Update Released

Tue, 2019-01-15 14:59

Oracle today released the January 2019 Critical Patch Update.

This Critical Patch Update provides security updates for a wide range of product families, including: Oracle Database Server, Oracle Golden Gate, Oracle Big Data Graph, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Industry Applications (Construction, Communications, Financial Services, Hospitality, Insurance, Retail), Oracle Java SE, Oracle Virtualization, Oracle MySQL, and Oracle Sun Systems Products Suite.

For more information about this Critical Patch Update, customers should refer to the Critical Patch Update Advisory located at https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html and the executive summary published on My Oracle Support (Doc ID  2489117.1).  

October 2018 Critical Patch Update Released

Tue, 2018-10-16 14:59

Oracle today released the October 2018 Critical Patch Update

This Critical Patch Update provides security updates for a wide range of product families, including: Oracle Database Server, Oracle Golden Gate, Oracle Big Data Graph, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Industry Applications (Construction, Communications, Financial Services, Hospitality, Insurance, Retail), Oracle Java SE, Oracle Virtualization, Oracle MySQL, and Oracle Sun Systems Products Suite.

As with previous Critical Patch Update releases, a significant proportion of the patches is for third-party components (non-Oracle CVEs, including open source components). 

For more information about this Critical Patch Update, customers should refer to the Critical Patch Update Advisory located at https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html and the executive summary published on My Oracle Support (Doc ID 2456979.1).  

October 2018 Critical Patch Update Released

Tue, 2018-10-16 14:59

Oracle today released the October 2018 Critical Patch Update

This Critical Patch Update provides security updates for a wide range of product families, including: Oracle Database Server, Oracle Golden Gate, Oracle Big Data Graph, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Industry Applications (Construction, Communications, Financial Services, Hospitality, Insurance, Retail), Oracle Java SE, Oracle Virtualization, Oracle MySQL, and Oracle Sun Systems Products Suite.

As with previous Critical Patch Update releases, a significant proportion of the patches is for third-party components (non-Oracle CVEs, including open source components). 

For more information about this Critical Patch Update, customers should refer to the Critical Patch Update Advisory located at https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html and the executive summary published on My Oracle Support (Doc ID 2456979.1).  

October 2018 Critical Patch Update Released

Tue, 2018-10-16 14:59

Oracle today released the October 2018 Critical Patch Update

This Critical Patch Update provides security updates for a wide range of product families, including: Oracle Database Server, Oracle Golden Gate, Oracle Big Data Graph, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Industry Applications (Construction, Communications, Financial Services, Hospitality, Insurance, Retail), Oracle Java SE, Oracle Virtualization, Oracle MySQL, and Oracle Sun Systems Products Suite.

As with previous Critical Patch Update releases, a significant proportion of the patches is for third-party components (non-Oracle CVEs, including open source components). 

For more information about this Critical Patch Update, customers should refer to the Critical Patch Update Advisory located at https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html and the executive summary published on My Oracle Support (Doc ID 2456979.1).  

Security Alert CVE-2018-11776 Released

Fri, 2018-08-31 21:00

Oracle just released Security Alert CVE-2018-11776.  This vulnerability affects Apache Struts 2, a component used in a number of Oracle product distributions.   It has received a CVSS Base Score of 9.8.  The Security Alert advisory provides a list of affected Oracle products, their statuses, and information about available patches.

For more information, see the Security Alert advisory located at http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html and MOS Note "Security Alert CVE-2018-11776 Products and Versions" (Doc ID 2440044.1).

Security Alert CVE-2018-11776 Released

Fri, 2018-08-31 21:00

Oracle just released Security Alert CVE-2018-11776.  This vulnerability affects Apache Struts 2, a component used in a number of Oracle product distributions.   It has received a CVSS Base Score of 9.8.  The Security Alert advisory provides a list of affected Oracle products, their statuses, and information about available patches.

For more information, see the Security Alert advisory located at http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html and MOS Note "Security Alert CVE-2018-11776 Products and Versions" (Doc ID 2440044.1).

Security Alert CVE-2018-11776 Released

Fri, 2018-08-31 21:00

Oracle just released Security Alert CVE-2018-11776.  This vulnerability affects Apache Struts 2, a component used in a number of Oracle product distributions.   It has received a CVSS Base Score of 9.8.  The Security Alert advisory provides a list of affected Oracle products, their statuses, and information about available patches.

For more information, see the Security Alert advisory located at http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html

Intel Processor L1TF vulnerabilities: CVE-2018-3615, CVE-2018-3620, CVE-2018-3646

Tue, 2018-08-14 12:00

Today, Intel disclosed a new set of speculative execution side-channel processor vulnerabilities affecting their processors.    These L1 Terminal Fault (L1TF) vulnerabilities affect a number of Intel processors, and they have received three CVE identifiers:

  • CVE-2018-3615 impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.

  • CVE-2018-3620 impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.

  • CVE-2018-3646 impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1

These vulnerabilities derive from a flaw in Intel processors, in which operations performed by a processor while using speculative execution can result in a compromise of the confidentiality of data between threads executing on a physical CPU core. 

As with other variants of speculative execution side-channel issues (i.e., Spectre and Meltdown), successful exploitation of L1TF vulnerabilities require the attacker to have the ability to run malicious code on the targeted systems.  Therefore, L1TF vulnerabilities are not directly exploitable against servers which do not allow the execution of untrusted code. 

While Oracle has not yet received reports of successful exploitation of this speculative execution side-channel issue “in the wild,” Oracle has worked with Intel and other industry partners to develop technical mitigations against these issues. 

The technical steps Intel recommends to mitigate L1TF vulnerabilities on affected systems include:

  • Ensuring that affected Intel processors are running the latest Intel processor microcode. Intel reports that the microcode update  it has released for the Spectre 3a (CVE-2018-3640) and Spectre 4 (CVE-2018-3639) vulnerabilities also contains the microcode instructions which can be used to mitigate the L1TF vulnerabilities. Updated microcode by itself is not sufficient to protect against L1TF.

  • Applying the necessary OS and virtualization software patches against affected systems. To be effective, OS patches will require the presence of the updated Intel processor microcode.  This is because updated microcode by itself is not sufficient to protect against L1TF.  Corresponding OS and virtualization software updates are also required to mitigate the L1TF vulnerabilities present in Intel processors.

  • Disabling Intel Hyper-Threading technology in some situations. Disabling HT alone is not sufficient for mitigating L1TF vulnerabilities. Disabling HT will result in significant performance degradation.

In response to the various L1TF Intel processor vulnerabilities:

Oracle Hardware

  • Oracle recommends that administrators of x86-based Systems carefully assess the L1TF threat for their systems and implement the appropriate security mitigations.Oracle will provide specific guidance for Oracle Engineered Systems.

  • Oracle has determined that Oracle SPARC servers are not affected by the L1TF vulnerabilities.

  • Oracle has determined that Oracle Intel x86 Servers are not impacted by vulnerability CVE-2018-3615 because the processors in use with these systems do not make use of Intel Software Guard Extensions (SGX).

Oracle Operating Systems (Linux and Solaris) and Virtualization

  • Oracle has released security patches for Oracle Linux 7, Oracle Linux 6 and Oracle VM Server for X86 products.  In addition to OS patches, customers should run the current version of the Intel microcode to mitigate these issues. 

  • Oracle Linux customers can take advantage of Oracle Ksplice to apply these updates without needing to reboot their systems.

  • Oracle has determined that Oracle Solaris on x86 is not affected by vulnerabilities CVE-2018-3615 and CVE-2018-3620 regardless of the underlying Intel processor on these systems.  It is however affected by vulnerability CVE-2018-3646 when using Kernel Zones. The necessary patches will be provided at a later date

  • Oracle Solaris on SPARC is not affected by the L1TF vulnerabilities.

Oracle Cloud

  • The Oracle Cloud Security and DevOps teams continue to work in collaboration with our industry partners on implementing the necessary mitigations to protect customer instances and data across all Oracle Cloud offerings: Oracle Cloud (IaaS, PaaS, SaaS), Oracle NetSuite, Oracle GBU Cloud Services, Oracle Data Cloud, and Oracle Managed Cloud Services.  

  • Oracle’s first priority is to mitigate the risk of tenant-to-tenant attacks.

  • Oracle will notify and coordinate with the affected customers for any required maintenance activities as additional mitigating controls continue to be implemented.

  • Oracle has determined that a number of Oracle's cloud services are not affected by the L1TF vulnerabilities.  They include Autonomous Data Warehouse service, which provides a fully managed database optimized for running data warehouse workloads, and Oracle Autonomous Transaction Processing service, which provides a fully managed database service optimized for running online transaction processing and mixed database workloads.  No further action is required by customers of these services as both were found to require no additional mitigating controls based on service design and are not affected by the L1TF vulnerabilities (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646).   

  • Bare metal instances in Oracle Cloud Infrastructure (OCI) Compute offer full control of a physical server and require no additional Oracle code to run.  By design, the bare metal instances are isolated from other customer instances on the OCI network whether they be virtual machines or bare metal.  However, for customers running their own virtualization stack on bare metal instances, the L1TF vulnerability could allow a virtual machine to access privileged information from the underlying hypervisor or other VMs on the same bare metal instance.  These customers should review the Intel recommendations about vulnerabilities CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 and make changes to their configurations as they deem appropriate.

Note that many industry experts anticipate that new techniques leveraging these processor flaws will continue to be disclosed for the foreseeable future.  Future speculative side-channel processor vulnerabilities are likely to continue to impact primarily operating systems and virtualization platforms, as addressing them will likely require software update and microcode update.  Oracle therefore recommends that customers remain on current security release levels, including firmware, and applicable microcode updates (delivered as Firmware or OS patches), as well as software upgrades. 

 

For more information:
 

Intel Processor L1TF vulnerabilities: CVE-2018-3615, CVE-2018-3620, CVE-2018-3646

Tue, 2018-08-14 12:00

Today, Intel disclosed a new set of speculative execution side-channel processor vulnerabilities affecting their processors.    These L1 Terminal Fault (L1TF) vulnerabilities affect a number of Intel processors, and they have received three CVE identifiers:

  • CVE-2018-3615 impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.

  • CVE-2018-3620 impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.

  • CVE-2018-3646 impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1

These vulnerabilities derive from a flaw in Intel processors, in which operations performed by a processor while using speculative execution can result in a compromise of the confidentiality of data between threads executing on a physical CPU core. 

As with other variants of speculative execution side-channel issues (i.e., Spectre and Meltdown), successful exploitation of L1TF vulnerabilities require the attacker to have the ability to run malicious code on the targeted systems.  Therefore, L1TF vulnerabilities are not directly exploitable against servers which do not allow the execution of untrusted code. 

While Oracle has not yet received reports of successful exploitation of this speculative execution side-channel issue “in the wild,” Oracle has worked with Intel and other industry partners to develop technical mitigations against these issues. 

The technical steps Intel recommends to mitigate L1TF vulnerabilities on affected systems include:

  • Ensuring that affected Intel processors are running the latest Intel processor microcode. Intel reports that the microcode update  it has released for the Spectre 3a (CVE-2018-3640) and Spectre 4 (CVE-2018-3639) vulnerabilities also contains the microcode instructions which can be used to mitigate the L1TF vulnerabilities. Updated microcode by itself is not sufficient to protect against L1TF.

  • Applying the necessary OS and virtualization software patches against affected systems. To be effective, OS patches will require the presence of the updated Intel processor microcode.  This is because updated microcode by itself is not sufficient to protect against L1TF.  Corresponding OS and virtualization software updates are also required to mitigate the L1TF vulnerabilities present in Intel processors.

  • Disabling Intel Hyper-Threading technology in some situations. Disabling HT alone is not sufficient for mitigating L1TF vulnerabilities. Disabling HT will result in significant performance degradation.

In response to the various L1TF Intel processor vulnerabilities:

Oracle Hardware

  • Oracle recommends that administrators of x86-based Systems carefully assess the L1TF threat for their systems and implement the appropriate security mitigations.Oracle will provide specific guidance for Oracle Engineered Systems.

  • Oracle has determined that Oracle SPARC servers are not affected by the L1TF vulnerabilities.

  • Oracle has determined that Oracle Intel x86 Servers are not impacted by vulnerability CVE-2018-3615 because the processors in use with these systems do not make use of Intel Software Guard Extensions (SGX).

Oracle Operating Systems (Linux and Solaris) and Virtualization

  • Oracle has released security patches for Oracle Linux 7, Oracle Linux 6 and Oracle VM Server for X86 products.  In addition to OS patches, customers should run the current version of the Intel microcode to mitigate these issues. 

  • Oracle Linux customers can take advantage of Oracle Ksplice to apply these updates without needing to reboot their systems.

  • Oracle has determined that Oracle Solaris on x86 is not affected by vulnerabilities CVE-2018-3615 and CVE-2018-3620 regardless of the underlying Intel processor on these systems.  It is however affected by vulnerability CVE-2018-3646 when using Kernel Zones. The necessary patches will be provided at a later date

  • Oracle Solaris on SPARC is not affected by the L1TF vulnerabilities.

Oracle Cloud

  • The Oracle Cloud Security and DevOps teams continue to work in collaboration with our industry partners on implementing the necessary mitigations to protect customer instances and data across all Oracle Cloud offerings: Oracle Cloud (IaaS, PaaS, SaaS), Oracle NetSuite, Oracle GBU Cloud Services, Oracle Data Cloud, and Oracle Managed Cloud Services.  

  • Oracle’s first priority is to mitigate the risk of tenant-to-tenant attacks.

  • Oracle will notify and coordinate with the affected customers for any required maintenance activities as additional mitigating controls continue to be implemented.

  • Oracle has determined that a number of Oracle's cloud services are not affected by the L1TF vulnerabilities.  They include Autonomous Data Warehouse service, which provides a fully managed database optimized for running data warehouse workloads, and Oracle Autonomous Transaction Processing service, which provides a fully managed database service optimized for running online transaction processing and mixed database workloads.  No further action is required by customers of these services as both were found to require no additional mitigating controls based on service design and are not affected by the L1TF vulnerabilities (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646).   

  • Bare metal instances in Oracle Cloud Infrastructure (OCI) Compute offer full control of a physical server and require no additional Oracle code to run.  By design, the bare metal instances are isolated from other customer instances on the OCI network whether they be virtual machines or bare metal.  However, for customers running their own virtualization stack on bare metal instances, the L1TF vulnerability could allow a virtual machine to access privileged information from the underlying hypervisor or other VMs on the same bare metal instance.  These customers should review the Intel recommendations about vulnerabilities CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 and make changes to their configurations as they deem appropriate.

Note that many industry experts anticipate that new techniques leveraging these processor flaws will continue to be disclosed for the foreseeable future.  Future speculative side-channel processor vulnerabilities are likely to continue to impact primarily operating systems and virtualization platforms, as addressing them will likely require software update and microcode update.  Oracle therefore recommends that customers remain on current security release levels, including firmware, and applicable microcode updates (delivered as Firmware or OS patches), as well as software upgrades. 

 

For more information:
 

Intel Processor L1TF vulnerabilities: CVE-2018-3615, CVE-2018-3620, CVE-2018-3646

Tue, 2018-08-14 12:00

Today, Intel disclosed a new set of speculative execution side-channel processor vulnerabilities affecting their processors.    These L1 Terminal Fault (L1TF) vulnerabilities affect a number of Intel processors, and they have received three CVE identifiers:

  • CVE-2018-3615 impacts Intel Software Guard Extensions (SGX) and has a CVSS Base Score of 7.9.

  • CVE-2018-3620 impacts operating systems and System Management Mode (SMM) running on Intel processors and has a CVSS Base Score of 7.1.

  • CVE-2018-3646 impacts virtualization software and Virtual Machine Monitors (VMM) running on Intel processors and has a CVSS Base Score of 7.1

These vulnerabilities derive from a flaw in Intel processors, in which operations performed by a processor while using speculative execution can result in a compromise of the confidentiality of data between threads executing on a physical CPU core. 

As with other variants of speculative execution side-channel issues (i.e., Spectre and Meltdown), successful exploitation of L1TF vulnerabilities require the attacker to have the ability to run malicious code on the targeted systems.  Therefore, L1TF vulnerabilities are not directly exploitable against servers which do not allow the execution of untrusted code. 

While Oracle has not yet received reports of successful exploitation of this speculative execution side-channel issue “in the wild,” Oracle has worked with Intel and other industry partners to develop technical mitigations against these issues. 

The technical steps Intel recommends to mitigate L1TF vulnerabilities on affected systems include:

  • Ensuring that affected Intel processors are running the latest Intel processor microcode. Intel reports that the microcode update  it has released for the Spectre 3a (CVE-2018-3640) and Spectre 4 (CVE-2018-3639) vulnerabilities also contains the microcode instructions which can be used to mitigate the L1TF vulnerabilities. Updated microcode by itself is not sufficient to protect against L1TF.

  • Applying the necessary OS and virtualization software patches against affected systems. To be effective, OS patches will require the presence of the updated Intel processor microcode.  This is because updated microcode by itself is not sufficient to protect against L1TF.  Corresponding OS and virtualization software updates are also required to mitigate the L1TF vulnerabilities present in Intel processors.

  • Disabling Intel Hyper-Threading technology in some situations. Disabling HT alone is not sufficient for mitigating L1TF vulnerabilities. Disabling HT will result in significant performance degradation.

In response to the various L1TF Intel processor vulnerabilities:

Oracle Hardware

  • Oracle recommends that administrators of x86-based Systems carefully assess the L1TF threat for their systems and implement the appropriate security mitigations.Oracle will provide specific guidance for Oracle Engineered Systems.

  • Oracle has determined that Oracle SPARC servers are not affected by the L1TF vulnerabilities.

  • Oracle has determined that Oracle Intel x86 Servers are not impacted by vulnerability CVE-2018-3615 because the processors in use with these systems do not make use of Intel Software Guard Extensions (SGX).

Oracle Operating Systems (Linux and Solaris) and Virtualization

  • Oracle has released security patches for Oracle Linux 7, Oracle Linux 6 and Oracle VM Server for X86 products.  In addition to OS patches, customers should run the current version of the Intel microcode to mitigate these issues. 

  • Oracle Linux customers can take advantage of Oracle Ksplice to apply these updates without needing to reboot their systems.

  • Oracle has determined that Oracle Solaris on x86 is not affected by vulnerabilities CVE-2018-3615 and CVE-2018-3620 regardless of the underlying Intel processor on these systems.  It is however affected by vulnerability CVE-2018-3646 when using Kernel Zones. The necessary patches will be provided at a later date

  • Oracle Solaris on SPARC is not affected by the L1TF vulnerabilities.

Oracle Cloud

  • The Oracle Cloud Security and DevOps teams continue to work in collaboration with our industry partners on implementing the necessary mitigations to protect customer instances and data across all Oracle Cloud offerings: Oracle Cloud (IaaS, PaaS, SaaS), Oracle NetSuite, Oracle GBU Cloud Services, Oracle Data Cloud, and Oracle Managed Cloud Services.  

  • Oracle’s first priority is to mitigate the risk of tenant-to-tenant attacks.

  • Oracle will notify and coordinate with the affected customers for any required maintenance activities as additional mitigating controls continue to be implemented.

  • Oracle has determined that a number of Oracle's cloud services are not affected by the L1TF vulnerabilities.  They include Autonomous Data Warehouse service, which provides a fully managed database optimized for running data warehouse workloads, and Oracle Autonomous Transaction Processing service, which provides a fully managed database service optimized for running online transaction processing and mixed database workloads.  No further action is required by customers of these services as both were found to require no additional mitigating controls based on service design and are not affected by the L1TF vulnerabilities (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646).   

  • Bare metal instances in Oracle Cloud Infrastructure (OCI) Compute offer full control of a physical server and require no additional Oracle code to run.  By design, the bare metal instances are isolated from other customer instances on the OCI network whether they be virtual machines or bare metal.  However, for customers running their own virtualization stack on bare metal instances, the L1TF vulnerability could allow a virtual machine to access privileged information from the underlying hypervisor or other VMs on the same bare metal instance.  These customers should review the Intel recommendations about vulnerabilities CVE-2018-3615, CVE-2018-3620, CVE-2018-3646 and make changes to their configurations as they deem appropriate.

Note that many industry experts anticipate that new techniques leveraging these processor flaws will continue to be disclosed for the foreseeable future.  Future speculative side-channel processor vulnerabilities are likely to continue to impact primarily operating systems and virtualization platforms, as addressing them will likely require software update and microcode update.  Oracle therefore recommends that customers remain on current security release levels, including firmware, and applicable microcode updates (delivered as Firmware or OS patches), as well as software upgrades. 

 

For more information:
 

Security Alert CVE-2018-3110 Released

Fri, 2018-08-10 15:02

Oracle just released Security Alert CVE-2018-3110.  This vulnerability affects the Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows.  It has received a CVSS Base Score of 9.9, and it is not remotely exploitable without authentication.  Vulnerability CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux and Unix; however, patches for those versions and platforms were included in the July 2018 Critical Patch Update.

Due to the nature of this vulnerability, Oracle recommends that customers apply these patches as soon as possible.  This means that:

  • Customers running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows should apply the patches provided by the Security Alert.
  • Customers running version 12.1.0.2 on Windows or any version of the database on Linux or Unix should apply the July 2018 Critical Patch Update if they have not already done so. 

For More Information:
• The Advisory for Security Alert CVE-2018-3110 is located at http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html
• The Advisory for the July 2018 Critical Patch Update is located at http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Security Alert CVE-2018-3110 Released

Fri, 2018-08-10 15:02

Oracle just released Security Alert CVE-2018-3110.  This vulnerability affects the Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows.  It has received a CVSS Base Score of 9.9, and it is not remotely exploitable without authentication.  Vulnerability CVE-2018-3110 also affects Oracle Database version 12.1.0.2 on Windows as well as Oracle Database on Linux and Unix; however, patches for those versions and platforms were included in the July 2018 Critical Patch Update.

Due to the nature of this vulnerability, Oracle recommends that customers apply these patches as soon as possible.  This means that:

  • Customers running Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows should apply the patches provided by the Security Alert.
  • Customers running version 12.1.0.2 on Windows or any version of the database on Linux or Unix should apply the July 2018 Critical Patch Update if they have not already done so. 

For More Information:
• The Advisory for Security Alert CVE-2018-3110 is located at http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html
• The Advisory for the July 2018 Critical Patch Update is located at http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Pages