we do not provide official statements fro security related questions here.
You must wait for an official statement released from Oracle or open a security Service request.
Any idea when will there be an official statement from Oracle? Where can i check whether Oracle made or not such an statement?
i created an SR this week and got this "official" answer from support:
Oracle is aware of the recently disclosed security vulnerabilities. Oracle is investigating the impact on the Oracle product line and will produce patches for any affected Oracle product.
Patches for affected Oracle products will be announced on the Critical Patch Update page at http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Oracle will not provide any additional information other than the patches announced in the mentioned CPU alerts.
We will not provide advanced notification or additional details about the security vulnerability. Please review the Oracle policies for more information:
+ Oracle Security Vulnerability Disclosure Policies
+ Security Fixing Policies
Please check the CPU page including the Third Party Bulletin for updates. Solaris fixes (where applicable) will also be listed in the MOS note 1448883.1
As of this moment neither the CPU nor the Third Party Bulletin or the MOS note 1448883.1 is listing additional information about the recent issues and Oracle will not provide any further information here (as explained above).
Oracle has developed fixes addressing the Intel processor design flaws leading to vulnerabilities CVE-2017-5753, CVE-2017-5754, and CVE-2017-5715. Oracle will deliver those fixes, if applicable, in accordance with Oracle’s security update policies. WHEN: 17/01/2018 4pm CET (GMT+1)
please have a look at these two documents for more info about Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities:
January 2018 Critical Patch Update: Executive Summary and Analysis (Doc ID 2338411.1)
Oracle Solaris on SPARC and Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) (Doc ID 2349278.1)
For X5-2, it states that only CVE-2017-5715 is fixed by applying the latest firmware.
However it doesn't address the other 2 CVE. The document is so vague and causing confusion.
So how should we interpret the lack of information for the other 2 CVE?
Should be assume that the X5-2 is not afffected by the other 2 CVE or fix for the 2 CVE are not available yet?
There is no explanation and clarification in the document.
Coming up on 3 months since there was any update or talk of an update for a Spectre fix for SPARC servers.
Are We There Yet???
Any additional information would be helpful.