Shown are the latest kernel versions as of the 9th of January which have Meltdown and Spectre patches.
Kernel versions can be found when running the `uname -r` command.
After the kernel is installed one can find the kernel/packages changelog and security info with the following commands and see in the page table isolation has been activated:
# yum updateinfo list
# yum updateinfo list cves
# yum updateinfo list kernel-uek
# yum updateinfo list --sec-severity=Important
# yum updateinfo info --sec-severity=Important
CVE-2017-1000407 Important/Sec. kernel-uek-4.1.12-112.14.13.el7uek.x86_64
# dmesg | grep isolation
[ 0.000000] Kernel/User page tables isolation: enabled
# rpm -q --changelog kernel | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
# rpm -q --changelog kernel-uek | egrep 'CVE-2017-5715|CVE-2017-5753|CVE-2017-5754'
Oracle Linux version 6
Kernel: 2.6.32-696.18.7 (errata: ELSA-2018-0008), 2018-01-04.
Kernel-uek: 4.1.12-112.14.10 (errata: ELSA-2018-4006), 2018-01-09.
Oracle Linux version 7
Kernel: 3.10.0-693.11.6 (errata: ELSA-2018-0007), 2018-01-04.
Kernel-uek: 4.1.12-112.14.10 (errata: ELSA-2018-4006), 2018-01-04.
Oracle VM version 3.4
Xen: 4.4.4-155.0.12.el6 (errata: OVMSA-2018-0006), 2018-01-08.
Unbreakable Linux Network CVE repository
Next links are to the Meltdown and Spectre descriptions described in the Oracle Linux CVE repository.
Spectre (CVE-2017-5715 / CVE-2017-5753)
Critical Patch Updates, Security Alerts and Bulletins
I don’t have any information or data on performance impact yet…
Wallets for encrypting database connections? No, not any more…!
When you want to encrypt your client connections to the database, one used to create Oracle Wallets. With an Oracle wallet you run ‘SQL*Net over an SSL connection’. Your tcp connection will be transformed to tcps.
This is not necessary if you easily want to encrypt all your connections to the database. You do not use tcps, you still use tcp, but you encrypt SQL*Net traffic, which is a different approach.
If you use “Native Oracle Net Services encryption and integrity”, you can encrypt all SQL*Net traffic from a client, for all connections to a database and it’s even also configurable per WebLogic Connection Pool. Continue reading
Linux and Windows…
Quick Reference To Patch Numbers For Database PSU, SPU(CPU) And Bundle Patches [ID 1454618.1]
This document is getting replaced by Note 2118136.2:
Download Reference for Oracle Database/GI PSU, SPU(CPU), Bundle Patches, Patchsets and Base Releases [ID 2118136.2]
Oracle Database, Networking and Grid Agent Patches for Microsoft Platforms [ID 161549.1]
Read all about it in:
Oracle’s Security Alert for ShellShock.
It also lists Oracle products that are affected and do not have fixes available at this time…
Next Doc ID provides a listing of Oracle Linux patches (minimal Bash versions) required to resolve security vulnerabilities referenced by CVE-2014-6271 and CVE-2014-7169:
CVE-2014-6271 and CVE-2014-7169 Patch Availability Document for Oracle Linux (Doc ID 1930120.1).
These versions can be found, downloaded and YUM-ed from Oracle’s public yum server:
When one is looking for the OpenSSL fix 1.0.1g for Oracle (Red Hat) Linux 6, the fixed package version is ‘1.0.1e-16.el6_5.7’. I think this a bit misleading, because OpenSSL 1.0.1e is subject to the bug (CVE-2014-0160). But from the Red Hat site: and Orcale MetaLink (MOS Note 1663998.1): “Version openssl-1.0.1e-16.el6_5.7 included a fix backported from openssl-1.0.1g“.
Some simple OS tests can produce a false-positive to heartbleed tests, becasue it could look only for text other than 1.0.1g.
To update to the ‘latest’ OpenSSL version, enable the [OL6_latest] repository en ‘yum update openssl’:
Setting up Update Process
--> Running transaction check
---> Package openssl.x86_64 0:1.0.1e-15.el6 will be updated
---> Package openssl.x86_64 0:1.0.1e-16.el6_5.7 will be an update
--> Finished Dependency Resolution
Testing for processes using OpenSSL
One can test if processes are using OpenSSL (not a heartbleed vulnerability test), by issuing one of these two following commands:
$ lsof | awk 'NR==1 || $0~/libssl.so.1.0.1e/'
$ grep libssl.so.1.0.1 /proc/*/maps |cut -d/ -f3 |sort -u |xargs -r -- ps uf
OpenSSL Security Bug – Heartbleed / CVE-2014-0160
Document written at April the 18th, 2014…
Happy blee, uh, testing and patching!
I recently updated to Internet Explorer 10 (Windows 7 64bit) and when I browsed to a website with a security certificate problem: “There is a problem with this website’s security certificate.”, the “Continue to this website (not recommended).” option was missing!!!
The issue here is that Microsoft restricted access to pages which are using a key using less than 1024 bits for protection. Some Oracle product using websites (including Oracle VM Manager) are still using this!
— Checked for relevance on Januari 21, 2017
The Oracle Database version compatibility matrix and version support status matrix are almost mandatory when installing or upgrading clients or servers.
For information about patches, go here: Oracle database patches for Linux and Windows (on Metalink).
For announcements of security fixes, go to Critical Patch Updates, Security Alerts and Third Party Bulletin.
Oracle Database client / server version compatibility matrix
Oracle calls this Client / Server Interoperability Support, Note ID 207303.1
Oracle Database version release support status matrix
Oracle calls this the Database Releases Support Status Summary, Note ID 161818.1
You will be redirected to Oracle Support and you must be registered to gain access to the pages. I did not include the matrices, because these change over time.
Oracle Information about Windows 32 / 64 bit database and client versions
Certification Information for Oracle Database on Microsoft Windows x64 (64-bit), Doc ID 1307195.1
This HTTPS via utl_http using orapki recipe is prepared with certificates and the orapki tool having some sweet and spicy taste. You may also use the Oracle Wallet manager instead of using orapki but for Oracle RDBMS you will need to have Enterprise Edition and Advanced Security pack licenses. Continue reading