Forum Stats

  • 3,840,393 Users
  • 2,262,599 Discussions
  • 7,901,261 Comments

Discussions

Your thoughts on applicability of CVE-2014-8730?

user12069610
user12069610 Member Posts: 1
edited Dec 10, 2014 3:38AM in Cryptography

Hello,

As no doubt many of you know there has been another POODLE attack variant found and this time against TLS implementations. Wondering if anyone here has heard from Oracle about the applicability of CVE-2014-8730 in Java? This is a new vulnerability and NVD and CVE websites have little published information. The best info thus far is from the "horse's mouth" here:

https://www.imperialviolet.org/2014/12/08/poodleagain.html

https://vivaldi.net/blogs/entry/not-out-of-the-woods-yet-there-are-more-poodles

I'm expecting there to be a formal announcement for Oracle regarding this issue but wanted to post here to see if any of you had insight to share.

Answers

  • Smitha-Oracle
    Smitha-Oracle Member Posts: 29 Employee

    Hello,

    To ensure we are working effectively with you, we would like to share some information on the handling of SRs related to possible security vulnerability issues.

    Please be aware that in order to ensure the highest level of confidentiality for these sensitive issues, our security team is kept small.  This prevents us from being able to work security SRs as severity 1's where the SR is worked 24x7.  We can honor Sev 1 requests, in addition to escalations on security SRs.  For escalation requests, please be aware that our Managers have 1 business day to contact you.  We do our best to ensure you have an engineer skilled in your product, trained in security and working as closely as possible to your time zone.

    Support will work with you to understand the problem, the impact and what steps are required to reproduce it.  If we determine this is an issue that could be a security vulnerability, we will work with our corporate security organization to continue investigation and determine steps to resolve the problem. 

    Once passed to the corporate security organization, the issue is treated as confidential and Support will need to wait on the conclusion of Oracle's Global Product Security analysis, before we can provide any further details on next steps to resolving the problem.  If you have specific deadlines you are trying to meet or if this is an urgent issue, please provide that information to us, to enable us to properly prioritize your issue.

    When software flaws are discovered, Oracle responds as quickly as possible to help protect information secured by customers in Oracle-based information systems.  Oracle's policy is to fix security vulnerabilities in severity order -- higher severity vulnerabilities are fixed as a priority over lower severity vulnerabilities. 

    Oracle encourages our customers to contact us as soon as they suspect security vulnerabilities.  Oracle strongly advises all Customers to apply CPU/PSU/SPU patches promptly, to ensure they have the most up-to-date protection from product security vulnerabilities. We also recommended each customer review and implement the recommendations in the secure configuration guide for their installed products.

    More information on Oracle's security policy for vulnerability handling can be found here:
    http://www.oracle.com/us/support/assurance/fixing-policies/index.htmlhttp://www.oracle.com/us/support/assurance/fixing-policies/index.html

    More information on the CPU program can be found here:
    http://www.oracle.com/technetwork/topics/security/alerts-086861.htmlhttp://www.oracle.com/technetwork/topics/security/alerts-086861.html


    You need to follow-up in the SR logged for this issue.


    Regards,

    Smitha

This discussion has been closed.