Polski

SE-2013-01 Vendors status

This page presents current status of the communication process with vendors of affected technologies.

Summary of the communication process:

  • 31-Jan-2014
- Vulnerability Notice along with Proof of Concept codes are sent to Oracle corporation (Issues 1-28)
- Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
  • 02-Feb-2014
- Vulnerability Notice along with Proof of Concept codes are sent to Oracle corporation (Issues 29-30)
  • 03-Feb-2014
- Oracle confirms successful reception and decryption of the second vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
  • 12-Feb-2014
- Oracle confirms reported Issues 1-30 and provides tracking numbers for them. The company informs that it will be providing status updates on the issues near the 24th of each month.
  • 27-Feb-2014
- Oracle provides a monthly status report for the reported issues. The company informs that fixes for 24 issues have been developed. The remaining 6 issues are under investigation / being fixed in main codeline. The company also informs that the identified issues are either in a cloud infrastructure layer or in shipping products. For vulnerabilities in shipping products, Oracle plans to release proper fixes in future Critical Patch Updates (CPU). For the issues in the Cloud infrastructure layer, the company is working towards fixing and deploying them in all hosted environments.
  • 28-Feb-2014
- Security Explorations asks Oracle for notification when both US1 and EMEA1 data centers are immune to all security vulnerabilities reported or any Oracle software release incorporates the fixes for the issues reported (such as software released prior to the CPU).
  • 20-Mar-2014
- Oracle informs that the company provides vulnerability information to all customers at the same time and that it does not publish a vulnerability when it is fixed in one release, but not in the other supported releases. The company also informs that it is still working on the cloud vulnerability handling policies. The company will notify Security Explorations when reported vulnerabilities are addressed in US1 and EMEA1 instances, but cannot promise this for future.
  • 11-Apr-2014
- Oracle provides a comprehensive status report regarding upcoming Critical Patch Update fixes. The company informs that all 30 reported issues have been addressed in Java Cloud 13.2 and later versions. For Java Cloud 13.1, all issues that allow compromise of one user's data by another user have been addressed (Issues 18, 19, 21, 22, 23, 26, 29, 30). For Issue 25, the JDK is being upgraded and Oracle will provide an update once this is completed. All remaining issues are currently mitigated by either workarounds or security provided by VM, OS and network layers until 13.1 is upgraded to 13.2. For Issue 26 (remote Weblogic vulnerability), fixes will be made available via April CPU for all supported versions for all on-premise customers. Oracle informs that it will continue to track the remaining issues till they are addressed for all Java Cloud versions and all on-premise customers. The company declares that it will continue to provide monthly updates.
  • 17-Apr-2014
- Oracle informs that Issue 25 has been addressed in Oracle Cloud 13.1 (JDK 1.6 has been upgraded).
  • 24-Apr-2014
- Oracle provides a monthly status report for the reported issues. The company informs that 20 issues are fixed in main codeline and are scheduled for a future CPU, 1 issue is under investigation / being fixed in main codeline and the remaining 8 issues have been resolved externally.
  • 22-May-2014
- Oracle provides a monthly status report for the reported issues. The company informs that 20 issues are fixed in main codeline and are scheduled for a future CPU and 1 issue is under investigation / being fixed in main codeline.
  • 28-May-2014
- Oracle informs that Issues 13-17 and 20 have been closed as Java Cloud version 13.1 has been upgraded to newer version. The remaining issues affecting on-premise customers will be resolved after they are released in a future Critical Patch Update.
  • 24-Jun-2014
- Oracle provides a monthly status report for the reported issues. The company informs that 15 issues are fixed in main codeline and are scheduled for a future CPU.
  • 11-Jul-2014
- Oracle provides a status report regarding upcoming CPU. The company informs that fixes for 15 vulnerabilities (Issues 1-12, 24, 27-28) will be incorporated into Critical Patch Update, due to be released on Jul 15, 2014.

Copyright 2008-2014 Security Explorations. All Rights Reserved.