Polski

SE-2014-01 Vendors status

This page presents current status of the communication process with vendors of affected technologies.

Summary of the communication process:

  • 16-Jun-2014
- Vulnerability Notice along with Proof of Concept codes are sent to Oracle corporation (Issues 1-20)
- Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
  • 18-Jun-2014
- Oracle informs that it has not yet confirmed all of the issues reported, but it has filed the bugs and provides their tracking numbers. The company also informs that monthly updates will be delivered around the 24th of each month.
  • 21-Jun-2014
- Vulnerability Notice along with a Proof of Concept code are sent to Oracle corporation (Issues 21-22)
  • 23-Jun-2014
- Oracle confirms successful reception and decryption of the vulnerability report. The company informs that it will investigate based on the data provided and get back to us soon.
  • 24-Jun-2014
- Oracle provides a monthly status report for the reported issues. The company informs that 6 issues are fixed in main codeline and are scheduled for a future CPU. The remaining 14 issues are under investigation / being fixed in main codeline.
- Security Explorations asks Oracle for clarification regarding status of 14 issues ("Under investigation / Being fixed in main codeline" carrying misleading / no bug confirmation status information). The company also notifies Oracle that the received monthly status report didn't include information about 2 issues reported on 21 Jun 2014.
- Oracle informs that it is still trying to confirm Issues 21 and 22, but it filed 2 bugs and provides their tracking numbers.
  • 25-Jun-2014
- Oracle provides explanation of status information from its monthly report. The company informs that "Under investigation / Being fixed in main codeline" implies the company is working towards reproducing and subsequently fixing the issue (unconfirmed bug). After the bug is fixed, the status is changed to "Issue fixed in main codeline, scheduled for a future CPU" (confirmed issue).
- Security Explorations asks Oracle whether it needs any assistance in running the received Proof of Concept Codes or whether a confirmation of reported vulnerabilities from a 3rd party such as US-CERT would be helpful for the company. Security Explorations informs Oracle that it expects a clear confirmation or denial of the remaining 16 issues, regardless of their fixing status.
  • 26-Jun-2014
- Oracle informs that it confirmed all 20 issues reported on 16 Jun 2014. The company is yet to confirm the two remaining issues from 21 Jun 2014.
  • 07-Jul-2014
- Oracle informs that it confirmed Issues 21 and 22 reported on 21 Jun 2014.
  • 11-Jul-2014
- Security Explorations asks Oracle for the reason of not including the patches in company's Jul 2014 CPU for Oracle Database Java VM component vulnerabilities as indicated in a pre-release announcement of the CPU (the 6 issues that had been "fixed in main codeline and scheduled for a future CPU" according to the status report received from Oracle on 24 Jun 2014).
  • 14-Jul-2014
- Oracle informs that its developer did not follow company's normal process and incorrectly created a fix for version 12.1.0.2 of Oracle Database first. As a result, the status of 6 inquired issues was incorrect since the fix was not completed in the 12.2 release (the vulnerabilities had not yet been fixed in the main codeline).
  • 24-Jul-2014
- Oracle provides a monthly status report for the reported issues. The company informs that 17 issues are fixed in main codeline and are scheduled for a future CPU. The remaining 5 issues are under investigation / being fixed in main codeline.
  • 22-Aug-2014
- Oracle provides a monthly status report for the reported issues. The company informs that 17 issues are fixed in main codeline and are scheduled for a future CPU. The remaining 5 issues are under investigation / being fixed in main codeline.
  • 24-Sep-2014
- Oracle provides a monthly status report for the reported issues. The company informs that 18 issues are fixed in main codeline and are scheduled for a future CPU. The remaining 4 issues are under investigation / being fixed in main codeline.
  • 10-Oct-2014
- Oracle provides a status report regarding upcoming CPU. The company informs that fixes for all 22 issues will be incorporated into Critical Patch Update, due to be released on October 14, 2014.
  • 24-Oct-2014
- Oracle provides a status report for the reported issues. The company informs that Critical Patch Update was issued for all 22 vulnerabilities reported.
  • 31-Oct-2014
- Security Explorations ask Oracle for the reasons of issuing incomplete CPU fixes for Windows platform (missing Oracle JavaVM Component for database versions 12.1.0.1.1, 11.2.0.3.1 and 11.1.0.7.1, planned to be released on Nov 04, 2014 according to Oracle Support Doc ID 1912224.1).
  • 03-Nov-2014
- Oracle responds that it occasionally allows the patches to be released the end of the month when the CPU is issued. As a result some of these patches have been delayed.
  • 30-Oct-2015
- Security Explorations asks Oracle for CVE numbers corresponding to vulnerabilities reported as part of SE-2014-01 project (Issues 1-22).
- Oracle informs that it will gather the requested information and get back to us.
  • 02-Nov-2015
- Oracle provides CVE numbers for Issues 1-22.

Copyright 2008-2018 Security Explorations. All Rights Reserved.