Oracle announced April 2018 Critical Patch Update. This patch includes 254 new security fixes. At the same, this patch contains a special addendum which is called; Addendum to the January 2018 CPU Advisory for Spectre and Meltdown (Doc ID 2347948.1) about Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities.
|Patch Availability Table for Spectre & Meltdown vulnerabilities|
|Affected Products||Patch Availability|
|Oracle Audit Vault and Database Firewall [Product ID 9749]||MOS note 2359424.1|
|Oracle Big Data Appliance [Product ID 9734]||MOS note 2357485.1|
|Oracle Exadata Database Machine [Product ID 2546]||MOS note 2356385.1|
|Oracle Exalogic Elastic Cloud [Product ID 9415]||MOS note 2348852.1|
|Oracle Key Vault [Product ID 10221]||MOS note 2366657.1|
|Oracle Linux [Product ID 1309]||MOS note 2348448.1|
|Oracle Private Cloud Appliance [Product ID 10635]||MOS note 2370398.1|
|Oracle Solaris Operating System [Product ID 10006]||SPARC: MOS note 2349278.1, X86: MOS note 2383531.1|
|Oracle VM [Product ID 4455]||MOS note 2348460.1|
|Oracle VM VirtualBox [Product ID 8370]||MOS note 2339562.1|
|Oracle X86 Servers [Product ID Multiple]||MOS note 2336753.1|
|Oracle ZFS Storage Appliance (ZFSSA) [Product ID 10026]||MOS note 2371830.1|
|Zero Data Loss Recovery Appliance Software [Product ID 11342]||MOS note 2356406.1|
All details about April 2018 CPU can be found at this site :
If you want to get a brief information about this CPU you can read the below MOS note
April 2018 Critical Patch Update: Executive Summary and Analysis (Doc ID 2383583.1)
In this note; We will focus on Oracle Database, Oracle Fusion Middleware and MySQL database products.
Let’s start with; Oracle Database. This patch includes 2 fixes for Oracle Database and one of these fixes is for Oracle Goldengate.As you see the number of the fixes is very low in this CPU. All vulnerabilities in Oracle Database can be remotely exploitable without authentication. You can find all details about these vulnerabilities in picture-1.
If you look at fixes in Oracle Fusion Middleware products; You can see 39 new security fixes and 30 of these vulnerabilities may be remotely exploitable without authentication. Top critical fixes are given in picture – 2.
For MySQL database, 33 new security fixes are released and 2 of these vulnerabilities may be remotely exploitable without authentication. Top fixes for MySQL is given in picture-3.
As a result Fixes for Oracle Fusion Middleware products are very critical. But Oracle strongly recommends that; you should apply all these fixes as soon as earlier from this MOS note : Database, Fusion Middleware, and Enterprise Manager Critical Patch Update April 2018 Patch Availability Document 2353306.1.
Thanks for reading this note.
Yusuf Anıl Akduygu