Spectre, Meltdown Update: Oracle Introduces 237 Security Patches

Oracle laid a big job at the feet of its partners when it posted dozens of software patches to close Meltdown and Spectre vulnerabilities.

The software giant based in Redwood Shores, Calif. introduced 237 patches in all on Tuesday for on-premises software spanning a vast portfolio of enterprise applications, databases, middleware and development environments.

Managed services partners in the coming days will need to secure customer environments by implementing the array of fixes, making sure to identify all affected products deployed in the field.

[Related: Spectre, Meltdown Update: VMware Retracts Faulty Intel Firmware Patches For Chip Vulnerabilities]

Sponsored post

"It creates somewhat of a challenge when it's this broad-based, but it's not something that someone like us that does this for a living couldn't handle," said Ronald Zapar, president and CEO of Re-Quest, an Oracle partner based in Naperville, Ill.

The critical patch update covers the breadth of Oracle software, from products developed in-house, such as its flagship database server, to those acquired over the years, such as Java development environments, Agile product management, Hyperion business intelligence, JD Edwards ERP and PeopleSoft human capital management solutions.

The diversity of affected Oracle applications illustrates that the side-channel attacks that have caused turmoil across the industry need to be addressed beyond the infrastructure layer of microprocessor firmware, operating systems and hypervisors.

While most vendors are introducing fixes to close channels of attack made possible by the chip vulnerabilities revealed earlier this month, the sheer size of Oracle's portfolio creates a unique customer management challenge for its partners that offer patch management services.

"This vulnerability affects multiple software platforms," Zapar said. "Oracle happens to be a vendor that supplies a multitude of these platforms."

But Oracle provides partners with best practices, and partners that appropriately assess and track customer installations should be able to secure those environments without undue burden, he said.

"From our perspective, it's not anything that's daunting," Zapar said.

"We know exactly what application-level products they're using, operating systems and versions they're running on, down to middleware and database," he said.

The biggest challenge to implementing the fixes is arranging for downtime.

"It does take some time, and you might be looking at an outage window that's longer than usual. So it's just about scheduling the time, wrangling the end-users to give up the systems," Zapar said.

While more than 200 products are affected by the chip vulnerabilities, they serve a customer base so diverse—spanning financial services, retail, health, hospitality—that few individual customers will need a large array of distinct patches installed across their systems, Zapar said.