Two new processor vulnerabilities were publicly disclosed on May 21, 2018. They are vulnerabilities CVE-2018-3640 ( “Spectre v3a” or “Rogue System Register Read”) and CVE-2018-3639 (“Spectre v4” or “Speculative Store Buffer Bypass”). Both vulnerabilities have received a CVSS Base Score of 4.3.
Successful exploitation of vulnerability CVE-2018-3639 requires local access to the targeted system. Mitigating this vulnerability on affected systems will require both software and microcode updates.
Successful exploitation of vulnerability CVE-2018-3640 also requires local access to the targeted system. Mitigating this vulnerability on affected Intel processors is solely performed by applying updated processor-specific microcode.
Working with the industry, Oracle has just released the required software updates for Oracle Linux and Oracle VM along with the microcode recently released by Intel for certain x86 platforms. Oracle will continue to release new microcode updates and firmware patches as production microcode becomes available from Intel.As for previous versions of the Spectre and Meltdown vulnerabilities (see MOS Note ID 2347948.1), Oracle will publish a list of products affected by CVE-2018-3639 and CVE-2018-3640 along with other technical information on My Oracle Support (MOS Note ID 2399123.1). In addition, the Oracle Cloud teams will be working to identify and apply necessary updates if warranted, as they become available from Oracle and third-party suppliers, in accordance with applicable change management processes