Jump to content

Search the Community

Showing results for tags 'oracle'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 22 results

  1. Supreme Court rules API copying is fair use The ruling heads off an expected wave of lawsuits over API copyrights. Enlarge / Exterior view of a Googleplex building, the corporate headquarters of Google and parent company Alphabet, May 2018. Getty Images | zphotos The Supreme Court has sided with Google in its decade-long legal battle with Oracle over the copyright status of application programming interfaces. The ruling means that Google will not owe Oracle billions of dollars in damages. It also has big implications for the broader software industry, since a ruling in the opposite direction could have triggered a wave of lawsuits against software companies that re-implemented other companies' APIs. The case dates back to the creation of the Android platform in the mid-2000s. Google decided to base Android on Sun's Java programming language, enabling existing Java programmers to easily develop for the platform. Google independently implemented the Java API methods, but to ensure compatibility, it copied Java's method names, argument types, and the class and package hierarchy. A few years later, Oracle acquired Sun and soon afterward sued Google, arguing that Google's copying had infringed Sun's copyrights. Over a decade of litigation, Google won twice at the trial court level, but each time, the ruling was overruled by the Federal Circuit appeals court. The case finally reached the Supreme Court last year. Writing for a six-justice majority, Justice Stephen Breyer held that Google's copying of the Java API calls was permissible under copyright's fair use doctrine. The high court punted on whether APIs can be copyrighted in the first place. But the court's fair use reasoning was broad enough that it should provide a strong defense for most API copying, making the question of API copyrights much less important. We'll publish an in-depth analysis of the court's reasoning once we have time to fully digest it and see what the experts are saying. Supreme Court rules API copying is fair use
  2. Microsoft and Oracle are working on digital COVID-19 vaccine cards Salesforce and the Mayo Clinic are also part of the Vaccination Credential Initiative. ASSOCIATED PRESS Starting later this month, the US will require international air passengers to show evidence of a recent negative COVID-19 test or proof that they have recently recovered from the disease. Alternatively, now that COVID-19 vaccines are being administered, airlines may soon allow you to fly if you can confirm that you've been immunized. Several health and tech organizations have teamed up to develop a system that would allow people to receive an encrypted copy of your vaccination status that you can store in a digital wallet on your phone. Members of the Vaccination Credential Initiative (VCI) include Microsoft, Oracle, Salesforce and the Mayo Clinic. The group is hoping to provide access to vaccination records through the SMART Health Cards framework. People without smartphones could receive a printout of a QR code that contains a verifiable vaccine record. Health officials in the US are issuing paper record cards to people who have received a COVID-19 vaccine. However, that isn't necessarily proof that someone has been immunized, as it's possible to spoof those cards. Some airports and airlines are testing a health passport app from the Commons Project, which is a VCI member. Travelers will be able to board certain international flights if they obtain a negative test result from their health providers and receive a confirmation code through the CommonPass app. As The New York Times notes, the VCI approach would work in a similar way for vaccine records. While being able to verify COVID-19 vaccinations could be critical in our return to normality from lockdowns and social distancing, health passport apps may prove a thorny issue. If airlines or employers make it mandatory to show proof of taking the vaccine, people who choose not to do so could be locked out of travel or returning to work. Source: Microsoft and Oracle are working on digital COVID-19 vaccine cards
  3. The data processing policies and practices of two of the world’s largest software program corporations, Salesforce and Oracle, will come below scrutiny within the Excessive Courtroom of England and Wales within the largest digital privateness class motion lawsuit ever filed. The go well with, filed by privateness campaigner and information safety specialist Rebecca Rumbul, is searching for damages which have been estimated in extra of £10bn, which might conceivably result in awards of £500 for each web consumer within the UK. A parallel go well with within the Netherlands backed by a Dutch group referred to as The Privacy Collective Foundation might take the whole damages to greater than €15bn. “Sufficient is sufficient,” stated Rumbul. “I’m uninterested in tech giants behaving as if they’re above the regulation. It’s time to take a stand and show that these corporations can not unlawfully and indiscriminately hoover up my private information with impunity. The web will not be non-compulsory any extra, and I ought to be capable to use it with out large tech monitoring me with out my consent. “The info these corporations are compiling on odd residents is terrifying. With their monitoring applied sciences in use throughout the most well-liked web sites, it’s onerous to flee from their information assortment.” Rumbul stated that though each software program corporations might ignore her complaints as a lone particular person, by changing into a category consultant on behalf of tens of millions, she might extra successfully maintain the promoting know-how trade to account. “I don’t imagine that these corporations, who revenue from the sale of my private information to 3rd events, presently respect the legal guidelines which are supposed to guard my privateness,” she stated. “Maybe £10bn given again to shoppers in England and Wales will change that.” The lawsuit centres on the gathering and processing of private info by promoting know-how platforms owned by Oracle and Salesforce, which use third-party cookies to trace, monitor and accumulate on-line shopping information and public sale it to promoting platforms to serve focused on-line adverts. These are the tailor-made advertisements that many individuals appear to suppose “comply with” them across the web, and the information used to generate them can embrace an individual’s pursuits, location, earnings, relationship standing, gender or sexual orientation, well being standing, age, stage of schooling and political or non secular leanings. Rumbul’s go well with, led by regulation agency Cadwalader, alleges that this course of is finished with out clear consent and is subsequently a breach of the Common Information Safety Regulation (GDPR). A Salesforce spokesperson stated: “At Salesforce, belief is our primary worth and nothing is extra essential to us than the privateness and safety of our company clients’ information. “We design and construct our providers with privateness on the forefront, offering our company clients with instruments to assist them adjust to their very own obligations below relevant privateness legal guidelines – together with the EU GDPR – to protect the privateness rights of their very own clients. “Salesforce and one other information administration platform supplier acquired a privacy-related grievance from a Dutch group referred to as The Privateness Collective in The Netherlands in August 2020. Salesforce and the identical information administration platform supplier have since acquired the same privateness grievance within the UK from Dr Rebecca Rumbul. The declare applies to the Salesforce Viewers Studio service and doesn’t relate to some other Salesforce service.” The spokesperson added: “Salesforce disagrees with the allegations and intends to show they’re with out benefit. “Our complete privateness programme offers instruments to assist our clients protect the privateness rights of their very own clients. To learn extra concerning the instruments we offer our company clients and our dedication to privateness, go to https://www.salesforce.com/privacy/products/.” Oracle has beforehand described the authorized motion as a shake-down made in dangerous religion, condemned the allegations as baseless, and vowed to vigorously defend towards it. It has not but made any additional remark. The lawsuit proceedings might be stayed till the end result – anticipated in 2021 – of the Lloyd vs Google case on the Supreme Courtroom. If beneficial, this might pave the way in which for opt-out consultant actions for privateness breaches. Source
  4. Oracle issued an out-of-band security update over the weekend to address a critical remote code execution (RCE) vulnerability impacting multiple Oracle WebLogic Server versions. The security vulnerability tracked as CVE-2020-14750 received a 9.8 severity base score from Oracle, out of a maximum rating of 10. Oracle credits 20 organizations and people in the security advisory for having provided information that allowed the company to address CVE-2020-14750. No-auth RCE Unauthenticated attackers can remotely exploit this no-auth RCE flaw in the server's console component via HTTP, without user interaction, as part of low complexity attacks to potentially take over targeted servers. "It is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password," Oracle's advisory explains. "Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible." Supported Oracle WebLogic Server versions that are affected by CVE-2020-14750 include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. Eric Maurice, Director of Security Assurance at Oracle, also shared a link to WebLogic Server hardening instructions in a blog post published on Sunday announcing the out-of-band security update. Earlier today, the Cybersecurity and Infrastructure Security Agency (CISA) also urged users and administrators to apply the security update to block potential attacks. Oracle released an out-of-band security alert to address a vulnerability—CVE-2020-14750—in Oracle WebLogic Server. Patch ASAP! https://t.co/34wm2YYgnx #Cyber #Cybersecurity #InfoSec — US-CERT (@USCERT_gov) November 2, 2020 Related to actively targeted CVE-2020-14882 Oracle also says that the vulnerability is related to CVE-2020-14882, another 9.8 out of 10 critical WebLogic Server flaw that was addressed in the October 2020 Critical Patch Update, two weeks ago. As BleepingComputer reported on Thursday, threat actors started scanning for exposed and vulnerable Oracle WebLogic instances to CVE-2020-14882 exploits one week after it was during this month's Critical Patch Update according to the SANS Technology Institute. Just as in the case of CVE-2020-14750, vulnerable versions of Oracle WebLogic Server are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0. Even though the company did not provide any further details regarding the relation between the two vulnerabilities, this out-of-band security update might be a direct result of the fact that a bypass for the CVE-2020-14882 patch was discovered on Friday. BleepingComputer reached out to Oracle for more details and to confirm that CVE-2020-14750 was indeed issued to address last week's CVE-2020-14882 bypass, but did not hear back at the time of publication. Source
  5. How many times do you want to read the CVSS rating 9.8 today? Oracle has released its final quarterly batch of patches for the year for security flaws in its products. The total this time? 402 fixes, the bulk of which are rated critical in terms of severity. In all, there are 230 CVE-listed bugs fixed across 27 Oracle products, according to Tenable, which noted Big Red's record is still July 2020 with more than 440 patches. "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches," the database giant warned in its advisory accompanying its software patches. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay." “Due to the threat posed by a successful attack," it continued, "Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible "Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack." So, you know, test, patch, deploy, as soon as you can before someone exploits one of these vulnerabilities in your infrastructure. Products updated this quarter include: Oracle Enterprise Manager; Big Data Spatial and Graph; a number of Hyperion-branded Fusion Middleware products; MySQL Cluster, Enterprise Monitor, Server and Workbench; various financial services and supply chain-focused applications; Oracle Communications products Oracle Financial Services products and apps Healthcare hospitality and retail products Oracle Policy Automation products Oracle VM VirtualBox Oracle ZFS Storage Appliance Kit Webcenter and Weblogic Quite a few of the vulns are exploitable without requiring any special privileges, such as those in Oracle TimesTen In-Memory Database (CVE-2018-11058, CVE-2017-5645, CVE-2019-1010239 and CVE-2019-0201). Similarly, 41 of the patched vulns in Oracle Communications “may be remotely exploitable without authentication, i.e. may be exploited over a network without requiring user credentials,” to use Big Red's own words. The full list of updates, part of Oracle’s routine critical quarterly patch run, can be read on its website. More detailed information is available for those with an Oracle login to access fully detailed patch notes. Jake Moore, a cybersecurity specialist at antivirus vendor Eset, told The Register: “All critical patch updates are important and require the earliest, convenient patching but worryingly, even infosec folk can be procrastinators and put off critical updates when they are released due to the inconvenience often caused. Amplified with more remote working than ever, such updates can cause more of a headache than before for their admins.” He added: “But of course as always, it is vital to patch as soon as possible to avoid being exploited by these now known vulnerabilities.” Back in January Oracle patched a similar number of flaws, including a priv-escalation issue in Solaris 10 Common Desktop, as we reported at the time. Big Red only does four scheduled security updates each year, on the Tuesday closest to the 17th of January, April, July and October. Maybe it should shift to a more frequent vulnerability disclosure schedule, to avoid dumping so many critical patches on hard working admins all at once. Source
  6. Users who won’t upgrade to 11.4 given three-year warning of unpleasantness to come Oracle appears to be losing patience with Solaris users who won’t adopt the newest 11.4 release of the OS. The database giant this month notified folks that as of January 2021 "premier support" for version 11.3 will end. Oracle’s next tier of support for that build of the operating system is “extended support,” which Oracle’s Lifetime Support Policy explains offers the same support services as premier albeit for an extra fee and only for three years. Support is available beyond the extended offering: “sustaining support” will continue for as long as you keep paying Big Red license fees, but does not include “new updates, fixes, security alerts, data fixes, and critical patch updates.” Oracle says its stance is justified because it has already given Solaris 11.3 users more than two years of premier support in recognition of the fact that version 11.4 needs Sparc hardware built after 2010. The Silicon Valley goliath also said it wasn’t as generous with previous Solaris releases. But Oracle also seems to have said it just can’t be bothered working on patches for 11.3 while continuing to evolve version 11.4. The Register offers that analysis as Oracle’s post states the following: Customers under Oracle Premier Support have had access to quarterly patch updates called Limited Support Updates (LSUs) to Oracle Solaris 11.3 for over 2 years. These LSUs are limited in scope, and solely focused on delivering fixes deemed absolutely necessary. For instance, they are often limited by how far behind Oracle Solaris 11.3 is on things like the FOSS versions and how far behind the Oracle Solaris 11.3 kernel is behind Oracle Solaris 11.4, which means we cannot bring all the functionality and security fixes available with Oracle Solaris 11.4 into the Oracle Solaris 11.3 LSUs. Financial considerations aside, there’s no reason for users of 11.3 to scramble for an upgrade before premier support ends. Indeed, Big Red’s support spiel states: “Your technology future is assured with Oracle’s Extended Support,” adding “Extended Support lets you stay competitive, with the freedom to upgrade on your timetable.” Though having said that, the company advises customers they "should move to Oracle Solaris 11.4 as quickly as they can.” Doing so will not only let users get their hands on 11.4’s new features, it will also make them eligible for premier support until the year 2031 and extended support until 2034. By which time The Register imagines hardly anyone will have an excuse to keep running Solaris other than Oracle in a cloudy incarnation for which it can charge truly outrageous prices. Source
  7. The legal battle is a decade in the making. The Supreme Court building in Washington, DC. Google and Oracle faced off Wednesday before the US Supreme Court in a multibillion dollar battle that could have a major effect on how companies develop software in the future. The two tech giants are clashing over the architecture of Google's Android operating system, the dominant mobile software on the planet. At the center of the fight is a question of copyright protections for application programming interfaces, or APIs, which govern how code communicates with other bits of code. Android was built in part by using APIs from Java, which was developed by Sun Microsystems. Oracle bought Sun in 2010 and later sued Google for allegedly illegal use of the software. The settlement could be worth almost $9 billion. For Google, the investment in Android paid off. The software powers almost nine of every 10 smartphones shipped globally. Beyond phones, Android is run on more than 2.5 billion devices altogether, including TVs and car dashboards. The legal saga, a decade in the making, has taken twists and turns to reach the highest court in the land. Google won the first major battle in 2016, only for an appeals court to reverse the decision two years later. Google repeatedly petitioned the Supreme Court to take the case, and last year the court said it would hear it. Oral arguments were originally expected in March but were pushed back and conducted virtually amid the coronavirus pandemic. On Wednesday, Google attorney Thomas Goldstein argued that Google only used parts of code it couldn't re-create when it was building Android. He said they work "like a key fits into a lock." He likened the code to "connective tissue" that shouldn't be protected. Chief Justice John Roberts responded, "Cracking the safe may be the only way to get the money you want, but it doesn't mean you can do it." He added, "If it's the only way, the way for you to do it is to get a license." Oracle attorney Joshua Rosencranz said one way to "kill" the software industry is to "take away the incentive to write original code." He argued that the industry rose to prominence because of copyright protections. The outcome of the trial will ripple throughout the tech industry, not only because the case is a rare bout between two tech giants on the biggest legal stage in the world. The decision could change how companies go about developing software based on what code is fair to use or not. Google argues a copyright protection would stunt innovation. Oracle has called Google's argument "backwards," balking at the idea that weaker intellectual property rights could boost creativity. The battle comes as both companies are in the spotlight with the federal government. Google is under massive antitrust scrutiny from lawmakers and regulators. The US Department of Justice is expected to file a landmark lawsuit against Google as early as this week. Oracle has made waves recently as it tries to become the US "technological partner" to TIkTok, a relationship it's seeking after the Trump administration tried to force a sale from its Chinese owner ByteDance over security concerns. Google, who has the support of Microsoft and the Electronic Frontier Foundation in the case, said applying protections to the software would hurt the developer community. "We spoke for software developers, computer scientists, businesses and consumers who support software innovation," Kent Walker, Google's senior vice president of global affairs, said in a statement. "Developers want to create applications that work across platforms, without fearing that companies will misuse copyright law to block interoperability. We look forward to the Court's decision." Oracle has the backing of the US solicitor general, who represents the federal government before the court. The company said Google was driven by "expediency." "Strong intellectual property protection is the cornerstone of American innovation," Dorian Daley, Oracle's general counsel, said in a statement. "We are confident the Supreme Court will agree with us that all software is covered by copyright and that Google's copying for its own commercial advantage and expediency can't possibly be fair use," said Dorian Daley, Oracle General Counsel." The proceedings fell during the first week the court is in session since the death of Justice Ruth Bader Ginsberg last month, which has spurred a bitter debate over her replacement. Source
  8. President Donald Trump said he might rescind his tentative blessing for a deal between Oracle Corp. and ByteDance to create a new U.S.-based TikTok service, casting doubt on the agreement as Chinese state media signaled reluctance in Beijing. Speaking in an interview on Fox News on Monday, Trump said he wouldn’t approve the deal if the Chinese company retains control of TikTok. However, he also indicated that he expected Chinese influence to be diluted by a future public offering of the new company. “They will have nothing to do with it, and if they do, we just won’t make the deal,” Trump said, referring to ByteDance, which owns TikTok. “It’s going to be controlled, totally controlled by Oracle, and I guess they’re going public and they’re buying out the rest of it -- they’re buying out a lot, and if we find that they don’t have total control then we’re not going to approve the deal.” Shortly after Trump’s comments, Hu Xijin, editor-in-chief of the China state-affiliated Global Times, tweeted that Beijing would likely reject the deal “because the agreement would endanger China’s national security, interests and dignity.” The Global Times is a tabloid run by the People’s Daily -- the flagship newspaper of the Communist Party. Hu’s tweets are closely watched after accurately forecasting previous moves by China’s government, though his statements at times don’t reflect official policy. ByteDance was pressured into a deal for TikTok in August, when Trump threatened to ban the app in the U.S. over national security concerns about the service’s data gathering. After Microsoft Corp. made a proposal for a full buyout, ByteDance instead turned to Oracle’s offering, in which the Chinese parent will maintain a solid majority stake. ByteDance may end up owning as much as 80% of TikTok Global, which would include the app’s operations in the U.S. and the rest of the world excluding China. On Friday, Trump said that he had approved of the deal with Oracle and WalMart Inc. “in concept.” Under the current proposal, there will be five seats on the board of TikTok Global. Walmart Chief Executive Officer Doug McMillon will become a director, the retailer said in a statement. TikTok Global will likely be headquartered in Texas and will hire “at least” 25,000 people, Trump said. The valuation for TikTok has been a looming question in the wake of Washington and Beijing clashing over the negotiations. The company will seek a valuation of $60 billion, according to a person familiar with the matter. TikTok Global intends to hold an initial public offering within 12 months, Oracle and Walmart said. Oracle will get full access to review TikTok’s source code and updates to make sure there are no back doors used by the company’s Chinese parent to gather data or to spy on the video-sharing app’s 100 million American users, according to people familiar with the matter. The U.S. software giant has given reassurances it can protect TikTok user data from foreign influence. Source
  9. US President Donald Trump says he's approved the agreement "in concept," according to a report. The deal would create a company called TikTok Global, and China's government would also need to sign off. President Donald Trump said Saturday that he has OK'd "in concept" a deal for Oracle to acquire the US operations of popular video app TikTok, says a Bloomberg report. Trump had earlier cited national security concerns in issuing a pair of executive orders that say TikTok will be banned in the states unless such a deal goes through. A ban on US downloads of the app is set to go into effect Sunday. The Trump administration has said it's concerned about the TikTok app because the app collects data on its US users and TikTok's parent company, ByteDance -- a Chinese firm -- could be compelled by China's communist government to share that information. TikTok has repeatedly said such concerns are baseless. On his way to a campaign rally in North Carolina, Trump told reporters that he had given the TikTok-Oracle deal "my blessing," Bloomberg reported. For the deal to be finalized, China's government would have to sign off on it, the news outlet noted, adding that Chinese officials have indicated that the government is willing to approve an agreement, so long as ByteDance doesn't have to give up the artificial intelligence algorithms behind the TikTok app. The agreement has Bytedance retaining a majority of TikTok's assets and control over the app's algorithm, and Oracle and other US investors taking minority stakes, Bloomberg said. "Oracle will get full access to review TikTok's source code and updates to make sure there are no back doors used by the company's Chinese parent to gather data or to spy on the video-sharing app's 100 million American users," Bloomberg reported, citing information from unnamed sources. On Friday, Trump told Oracle Chairman Larry Ellison that he still expects the US government to get a cash payment as part of the sale, Bloomberg reported, adding that it's unclear how that would come about. A TikTok spokesperson said in a statement that TikTok is pleased the deal "will resolve the security concerns of the US Administration and settle questions around TikTok's future in the US." "As part of this proposal, Oracle will become our trusted technology provider, responsible for hosting all US user data and securing associated computer systems to ensure US national security requirements are fully satisfied," the spokesperson said. "We are currently working with Walmart on a commercial partnership as well. Both companies will take part in a TikTok Global pre-IPO financing round in which they can take up to a 20% cumulative stake in the company. We will also maintain and expand TikTok Global's headquarters in the US, while bringing 25,000 jobs across the country." Oracle CEO Safra Catz said in a statement that Oracle "will quickly deploy, rapidly scale, and operate TikTok systems in the Oracle Cloud. We are a hundred percent confident in our ability to deliver a highly secure environment to TikTok and ensure data privacy to TikTok's American users, and users throughout the world. This greatly improved security and guaranteed privacy will enable the continued rapid growth of the TikTok user community to benefit all stakeholders." The White House didn't immediately respond to a request for comment. Source
  10. Oracle’s TikTok deal accomplishes nothing Adding a ‘trusted tech partner’ only addresses a sliver of the national security concerns Photo by Justin Sullivan / Getty Images On Sunday night — just two days before the deadline set by Microsoft — the TikTok deal finally came through. Oracle will be taking over stewardship of TikTok’s US operations, after Chinese parent company ByteDance turned down a more ambitious bid from Microsoft. This morning, Treasury Secretary Steven Mnuchin confirmed the deal and said it would be presented to President Trump with a recommendation later this week. But barring a complete catastrophe, TikTok will keep operating in the US. However weird the details are, TikTok’s 1,400 US employees and tens of millions of US users are breathing a sigh of relief this morning. But the last-minute sale is strange in a number of ways — for a start, it’s not a sale at all. After months of insistence that TikTok sever its US operations from Chinese ownership, we’re now settling for a vague partnership between Oracle and the US TikTok operation. It’s still unclear exactly what Oracle’s “trusted tech partner” status entails, but it’s definitively not a sale, and it’s unlikely Oracle is taking over any significant operations from the US TikTok offices. Microsoft’s version of the deal would have severed American TikTok from Europe and Asia entirely, but Oracle’s version of the deal leaves it mostly intact. US TikTok will stay the same as Korean TikTok and Nigerian TikTok; it’s just getting an extra babysitter. That makes it less of a sale and more of a glorified hosting deal. It lets Trump say he’s solved the problem but doesn’t do much else. Microsoft underlined this point in its official statement announcing it had not been chosen. “We would have made significant changes to ensure the service met the highest standards for security, privacy, online safety, and combatting misinformation,” the company said in its statement. “We look forward to seeing how the service evolves in these important areas.” The implicit message is clear: we wanted to change TikTok to actually make it safe, and ByteDance said no. There’s no indication that Oracle’s partnership makes those changes, which makes the whole deal seem suspect. “A deal where Oracle takes over hosting without source code and significant operational changes would not address any of the legitimate concerns about TikTok,” former Facebook security chief Alex Stamos said on Twitter, “and the White House accepting such a deal would demonstrate that this exercise was pure grift.” Having Oracle take over TikTok’s US hosting only addresses a sliver of the problem. It means China can’t directly siphon user data — but it probably couldn’t have before, given the app’s US headquarters. Oracle’s trusted partner status could include some code audits, but as long as the company isn’t writing the code, it will be hard to stop ByteDance from smuggling in some tracking malware if it wants to. Oracle won’t be rewriting the TikTok algorithm or handling moderation, so it will be just as easy for ByteDance to push Chinese propaganda or censor embarrassing messages. Oracle will be a contractor rather than a subsidiary, but it’s not clear that will make them any less vulnerable to pressure or subterfuge. If you were concerned about TikTok before, there’s no obvious reason you should be less concerned now. The clear winner is Oracle, which will presumably get paid handsomely by TikTok for its trust-partnering services and for making this whole nightmare go away. An infrastructure and cloud software business, Oracle has usually been out-muscled by larger players like Microsoft and Amazon. At the same time, Oracle co-founder and chairman Larry Ellison has been an outspoken Trump supporter within Silicon Valley, hosting a fundraiser for the president at his Palm Springs compound in February, and telling Forbes in April, “I support him and I want him to do well.” Given the president’s track record, it will be hard to dismiss the concern that he’s steered a cushy contract to a political ally instead of taking the national security concerns seriously. The initial prospect of a US-focused buyout had grown more difficult in the past week after China placed export controls on algorithms like the one that powers TikTok’s For You page. Recent reports suggested ByteDance simply wasn’t interested in a sale and would prefer to have the app shut down than have the US portions cleaved off and sold. It’s hard to know if that was a real position or just a negotiating tactic, but the result is the same: China was calling Trump’s bluff. A different leader might have pushed harder for a full sale or found some compromise that addressed more of the national security concerns — but finding that the drama had turned against him, it seems like Trump simply folded his hand and moved on. It’s an anticlimactic end, but things could be worse. TikTok faced the real risk of being shut down in the US, which seems unlikely to happen now. The Treasury Department was prepared to block US transactions to ByteDance starting on September 20th (that is, next Sunday). And absent some kind of compromise, TikTok could have easily become collateral damage in Trump’s feud with China. That would have been a gross abuse of power, as I wrote last month, and it’s good we avoided it. But every time someone calls your bluff and wins, it gets a little harder to play the game. We’re still in the early days of a long fight over Chinese technology — how much we can trust it and how much we can afford not to. That fight is bigger than TikTok or Trump. Because of the TikTok fiasco, it will be harder to take a future president seriously when they raise the alarm about a piece of network hardware or a tracking cookie leaking data back across the great firewall. In this game, America’s strength is its credibility and its ability to influence allies. Both of those have taken a clear hit from the Oracle deal. Trump himself stepped away with only a minor loss — but like so many of his deals, he was playing with someone else’s money. Oracle’s TikTok deal accomplishes nothing
  11. Oracle reportedly wins deal for TikTok’s US operations as ‘trusted tech partner’ Deal comes an hour after Microsoft’s failed attempt Photo by Joan Cros/NurPhoto via Getty Images Oracle has reportedly won a deal to manage TikTok’s US cloud operations. Oracle had been rumored to be part of the bidding process to acquire TikTok, but The Wall Street Journal reports that the company has been selected as a “trusted tech partner” instead. This is different from an outright sale, and appears to suggest Oracle will be helping run TikTok’s US operations with its own cloud technologies. News of an Oracle deal comes just an hour after Microsoft revealed it was no longer acquiring TikTok after its bid was rejected by TikTok owner ByteDance. Microsoft had been pursuing a deal to buy TikTok’s operations in the US, Australia, Canada, and New Zealand. It’s clear talks have swayed away from a full acquisition, with Oracle reportedly winning the bid to be a technology partner instead. President Trump signed an executive order August 6th blocking all transactions with ByteDance, and the order demanded an American company purchase TikTok’s US business. The EO was intended to take effect within 45 days, but the president signed a follow-up order giving ByteDance 90 days to sell or spin off TikTok in the US. That order was a result of an investigation of the company by the Committee on Foreign Investment in the US (CFIUS), which oversees foreign acquisitions of US companies for any potential security risks. Oracle has a history of collaboration with the US government, making its partnership with TikTok a strategic move amid the growing undercurrent of Chinese opposition running through the White House and Congress. Oracle reportedly wins deal for TikTok’s US operations as ‘trusted tech partner’
  12. Oracle is reportedly in talks to buy TikTok’s US business Microsoft may have a competitor Illustration by Alex Castro / The Verge Oracle has expressed an interest in acquiring TikTok, according to the Financial Times, giving Microsoft a potential competitor in its bid to control the Chinese social video app in the US. Larry Ellison’s enterprise software giant has reportedly held preliminary talks with TikTok’s parent company ByteDance already, working with venture capital firms including General Atlantic and Sequoia Capital, and is “seriously considering” acquiring its business in the US, Canada, Australia, and New Zealand. President Trump issued an executive order on Friday ordering ByteDance to sell its US business within 90 days. The FT notes that Oracle’s billionaire co-founder Ellison is one of the few US tech executives who has been openly supportive of Trump, though it’s not clear whether Oracle would be the White House’s preferred suitor for TikTok. A deal to buy part of TikTok would be legally fraught and technically complex. Until now, Microsoft has been considered the frontrunner in the efforts to find an American buyer. The FT corroborates earlier reporting from The Wall Street Journal that said Twitter had also expressed an early interest, but there are said to have been “serious concerns” about its financial capacity for the deal. While ByteDance hasn’t named a price publicly, TikTok’s success propelled it to become the world’s most valuable startup in 2018. Oracle is reportedly in talks to buy TikTok’s US business
  13. Should they be allowed to grab our stuff just cos it's 'popular' and it works? Not to be outdone by Google in ominous warnings over the future of software, Oracle has declared to American Supreme Court justices that no company would make an "enormous investment" like it did in Java SE if rivals get a free pass to copy code simply because it is "popular" and "functional". The firm filed a brief yesterday (PDF) to fend off Google's appeal in the highest court in the United States. The search giant is trying to overturn a Federal Circuit ruling over Google's use of Java code in the Android mobile operating system that would leave it on the hook for copyright damages estimated at $9bn+. Oracle held that the class library APIs it has been tussling with Google's Android over since August 2010 are a "literary work", countering Mountain View's assertion last month that the "declarations were highly functional, rather than expressive (PDF)". Big Red wrote in the document that there had been "creative choices – both [in] writing the declaring code and organizing the programs" that were "critical to Java SE's success", adding that Sun Microsystems and Oracle had collectively invested "hundreds of millions of dollars" attracting developers and developing the platform. It also shot down Google's merger doctrine argument, which holds that what the code does and the way it was written (the idea and its expression) have merged into one and the same thing, which Big Red acidly characterised as "an invitation" to the court to "rewrite the Copyright Act". As for Google's argument that once you dismiss Java SE's "conceptual" choices, all that remains are "unoriginal" names, Oracle snapped: "That is like saying once you choose a plot, the story writes itself." In a 70-page broadside, Big Red called Mountain View's policy arguments "legally irrelevant" to fair use, adding there was "no settled practice of pirating valuable software and incorporating it into competing products". Countering Google's holding that it used a small portion of the Java code base, Oracle retorted that Google's copying was "substantial" because of its "importance", and that the justices should disregard that Google copied "only a fraction of a large work". No company will make the enormous investment required to launch a groundbreaking work like Java SE if this Court declares that a competitor may copy it precisely because it has become so popular, or because it is functional — like all computer code. Even Andy Rubin said we were rivals Big Red characterised Google's problem – which it noted had been conceded by Android's founder Andy Rubin in earlier testimony – was that Sun's "APIs are copyrighted". It remarked: "Google could have taken the open-source license for free. But Google considered the give-back obligation 'unacceptable'." The database vendor also held in its brief that Google's use of the code in question was "commercial" – which would weigh against the fair use ruling – and claimed that "Google's concededly 'competing' product harmed Java SE in actual and potential markets", pointing to Oracle CEO Safra Catz's testimony back in 2016 (PDF) about a discount given to Amazon for its Paperwhite e-reader: Amazon switched from the Java platform to Android, then leveraged its ability to use Android for free to secure a 97.5 per cent price concession from Oracle. (A San Francisco jury ruled in favour of Mountain View's fair use argument soon after the Oracle's boss's testimony.) Big Red also added in yesterday's brief that Google could have licensed its code, but chose not to, opining: "Developers offer open-source licenses because it is in their business interest. Market forces likewise foster interoperability. Consumers demand products that work together, so software vendors 'wall off' their products at their peril." It also said that, seemingly in opposition to its own argument, Google had "admitted that it purposely made Android incompatible with Java". The case is Google LLC (Petitioner) v Oracle America, Inc and interested readers can follow the action here. Source
  14. Trademark Big Red annoyances revealed by JVM software writers JVM developers are annoyed by Oracle's restrictions on use of the javax namespace Just 9 per cent of Java devs pay for a supported version of the Java Development Kit (JDK), according to a new survey – despite Oracle introducing a licence fee for the official Oracle JDK from April 2019. The survey by snyk, a company that specialises in tools to find vulnerabilities in code and open-source libraries, is based on over 2,000 responses from developers, collated in the second half of 2019. This is a poll of Java Virtual Machine (JVM) developers, rather than Java ones, and is not intended to include Android devs, who may code in Java but do not target the JVM. Use of Oracle's JDK has declined from 70 per cent in 2018 to 34 per cent today. "There is a 72 per cent swing from Oracle JDK to alternate OpenJDK providers," the report stated. Note, though, that OpenJDK is official in that it is also maintained by Oracle. There is a detailed look at the difference between OpenJDK and Oracle JDK here. Of those who do pay for JDK support, which is around 9 per cent of the survey participants, a whopping 55 per cent get it from Oracle, while the others look to Red Hat, IBM or Azul. Many Java developers are still stuck on Java 8, the last version before major changes were made to the JDK. However, the appearance of Java 11, which is an LTS (long-term support) version, has prompted a shift, with a quarter of developers now using it, versus 64 per cent on Java 8. Why the inertia? 51 per cent say “the current set up works just fine". If it ain't broke… 6 per cent of those surveyed use the Spring framework, showing how dominant this is in enterprise development. Most JDK developers code in Java, as you would expect. There are other languages that support the JDK, though, and of these Kotlin – developed by JetBrains and now also supported for Android development – is growing in popularity. Use of Kotlin has gone from 2.4 to 5.5 per cent of developers since last year's survey. Clojure, Scala and Groovy also show up in the survey, in that order. What annoys Java developers most? High on this list is that Oracle could not agree with the Eclipse Foundation, now custodians of Java's enterprise edition (Jakarta EE), over the use of the javax namespace. "Unfortunately, following many months of good-faith negotiations, the Eclipse Foundation and Oracle have been unable to agree on terms of an agreement for the Eclipse Foundation community to modify the javax package namespace or to use the Java trademarks currently used in Java EE specifications," said Eclipse executive director Mike Milinkovich in May 2019, making dark reference to the "complexity and confidential nature of our negotiations". The javax packages include extensions like Servlets for web applications and Swing for desktop application interfaces. The consequence of the lack of agreement is that any improvements will need to go under a different package name, to avoid Oracle's trademark. 37 per cent of developers declared themselves "very disappointed" about this, and 32 per cent "a little annoyed". What IDE do JVM developers use? IntelliJ IDEA comes top, with 62 per cent, followed by Eclipse at 20 per cent and Apache NetBeans at 10 per cent. Visual Studio Code is used by just 2 per cent of participants. The declining popularity of Eclipse is notable, down from over 60 per cent in 2012. In Continuous Integration, Jenkins is the choice of 58 per cent of those surveyed, a huge lead over the second placed GitLab (6 per cent), while the three most popular code repositories are GitLab (35 per cent), GitHub (31 per cent) and BitBucket (25 per cent). It seems that JVM developers love GitLab more than the average developer, since GitHub is reckoned to have a bigger market share overall. Source
  15. Oracle has sent out letters to partners in Venezuela stating that they will no longer be able to work with them in order to comply with President Trump's Executive Order 13884. After first reporting that Adobe was banning all users from Venezuela from using their services, BleepingComputer has learned that Oracle had already canceled all contracts with partners located in Venezuela. According to a source, business partners located in Venezuela have been receiving letters from Oracle's Marcia Solveria, SVP, Regional General Counsel and Regional Compliance and Ethics Office, stating that Oracle can no longer work with them. "As you know, the United States government has substantially increased sanctions on Venezuela over the past two years. Most recently, on August 5, 2019, President Trump issued an executive order imposing additional sanctions on the Government of Venezuela. As a United States company, Oracle is legally required to adhere to this order. In order to ensure compliance with Executive Order 13884 and related U.S. sanctions targeting Venezuela, and pursuant to Section R of our Master Distribution Agreement of March 14, 2018 and all Addenda thereunder and Section W of the Oracle PartnerNetwork Worldwide Agreement, Oracle must undertake an orderly wind down of its business Venezuela. As part of this process, Oracle must terminate the abovementioned contracts with you and cannot engage in any new business with existing customers or new customers. Accordingly, you must not sell any Oracle services, products, hardware, or software to any new customers or engage in any new business with existing customers. To the extent there are continuing legal obligations to existing customers, Oracle is assessing the requirements and impacts of applicable U.S. laws and regulations on a case-by-case basis and will follow up with your and/or the customer, if and as appropriate, with additional guidance or instruction." BleepingComputer was told by the recipient of this letter that they are not affiliated with the government of Venezuela in any way. They further told us that numerous end users have received the same letter from other vendors and VARs based out of Venezuela. Similar to Adobe, it is unclear why Oracle is targeting all of their partners in Venezuela rather than just people associated with the "Government of Venezuela" as required by Executive Order 13884. "The term 'Government of Venezuela' includes the state and Government of Venezuela, any political subdivision, agency, or instrumentality thereof, including the Central Bank of Venezuela and Petroleos de Venezuela, S.A. (PdVSA), any person owned or controlled, directly or indirectly, by the foregoing, and any person who has acted or purported to act directly or indirectly for or on behalf of, any of the foregoing, including as a member of the Maduro regime" When we asked Oracle why they are canceling contracts with all partners in Venezuela rather than just those related to the government, we received the following statement. "We decline comment." The full letter being sent by Oracle to partners can be seen below. Source
  16. You really have to give Oracle a lot of points for persistence, especially where the $10 billion JEDI cloud contract procurement process is concerned. For more than a year, the company has been complaining across every legal and government channel it can think of. In spite of every attempt to find some issue with the process, it has failed every time. That did not stop it today from filing a fresh appeal of last month’s federal court decision that found against the company. Oracle refuses to go quietly into that good night, not when there are $10 billion federal dollars on the line, and today the company announced it was appealing Federal Claims Court Senior Judge Eric Bruggink’s decision. This time they are going back to that old chestnut that the single-award nature of the JEDI procurement process is illegal: “The Court of Federal Claims opinion in the JEDI bid protest describes the JEDI procurement as unlawful, notwithstanding dismissal of the protest solely on the legal technicality of Oracle’s purported lack of standing. Federal procurement laws specifically bar single award procurements such as JEDI absent satisfying specific, mandatory requirements, and the Court in its opinion clearly found DoD did not satisfy these requirements. The opinion also acknowledges that the procurement suffers from many significant conflicts of interest. These conflicts violate the law and undermine the public trust. As a threshold matter, we believe that the determination of no standing is wrong as a matter of law, and the very analysis in the opinion compels a determination that the procurement was unlawful on several grounds,” Oracle’s General Counsel Dorian Daley said in a statement. In December, Oracle sued the government for $10 billion, at the time focusing mostly on a perceived conflict of interest involving a former Amazon employee named Deap Ubhi. He worked for Amazon prior to joining the DOD, where he worked on a committee of people writing the RFP requirements, and then returned to Amazon later. The DOD investigated this issue twice, and found no evidence he violated federal conflict of interest of laws. The court ultimately agreed with the DOD’s finding last month, ruling that Oracle had failed to provide evidence of a conflict, or that it had impact on the procurement process. Judge Bruggink wrote at the time: We conclude as well that the contracting officer’s findings that an organizational conflict of interest does not exist and that individual conflicts of interest did not impact the procurement, were not arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law. Plaintiff’s motion for judgment on the administrative record is therefore denied. The company started complaining and cajoling even before the JEDI RFP process started. The Washington Post reported that Oracle’s Safra Catz met with the president in April, 2018 to complain that the process was unfairly stacked in favor of Amazon, which happens to be the cloud market share leader by a significant margin, with more than double that of its next closest rival, Microsoft. Later, the company filed an appeal with the Government Accountability Office, which found no issue with the RFP process. The DOD, which has insisted all along there was no conflict in the process, also did in an internal investigation and found no wrong-doing. The president got involved last month when he ordered Defense Secretary Mark T. Esper to look into the idea that, once again, the process has favored Amazon. That investigation is ongoing. The DOD did name two finalists, Amazon and Microsoft, in April, but has yet to name the winner as the protests, court cases and investigations continue. The controversy in part involves the nature of the contract itself. It is potentially a decade-long undertaking to build the cloud infrastructure for the DOD, involves the award of a single vendor (although there are several opt-out clauses throughout the term of the contract) and involves $10 billion and the potential for much more government work. That every tech company is salivating for that contract is hardly surprising, but Oracle alone continues to protest at every turn. The winner was supposed to be announced this month, but with the Pentagon investigation in progress, and another court case underway, it could be some time before we hear who the winner is. Source
  17. Oracle has been complaining about the procurement process around the Pentagon’s $10 billion, decade-long JEDI cloud contract, even before the DoD opened requests for proposals last year. It went so far as to file a lawsuit in December, claiming a potential conflict of interest on the part of a procurement team member. Today, that case was dismissed in federal court. In dismissing the case, Federal Claims Court Senior Judge Eric Bruggink ruled that the company had failed to prove a conflict in the procurement process, something the DOD’s own internal audits found in two separate investigations. Judge Bruggink ultimately agreed with the DoD’s findings: We conclude as well that the contracting officer’s findings that an organizational conflict of interest does not exist and that individual conflicts of interest did not impact the procurement, were not arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law. Plaintiff’s motion for judgment on the administrative record is therefore denied. The company previously had filed a failed protest with the Government Accountability Office (GAO), which also ruled that the procurement process was fair and didn’t favor any particular vendor. Oracle had claimed that the process was designed to favor cloud market leader AWS. It’s worth noting that the employee in question was a former AWS employee. AWS joined the lawsuit as part of the legal process, stating at the time in the legal motion, “Oracle’s Complaint specifically alleges conflicts of interest involving AWS. Thus, AWS has direct and substantial economic interests at stake in this case, and its disposition clearly could impair those interests.” Friday’s ruling opens the door for the announcement of a winner of the $10 billion contract, as early as next month. The DoD previously announced that it had chosen Microsoft and Amazon as the two finalists for the winner-take-all bid. Source
  18. Oracle has recently addressed a critical vulnerability affecting its WebLogic servers. Users must ensure they update their systems quickly as this WebLogic zero-day bug is presently under active exploitation. The bug, upon exploit, can allow an attacker to hijack a users’ systems. Actively Exploited WebLogic Zero-Day Bug Reportedly, a critical WebLogic zero-day vulnerability has posed a threat to users’ online security. This bug can allow an attacker to take control of the target devices and execute remote code. As stated in Oracle’s advisory, This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. This vulnerability, CVE-2019-2729 has earned a critical severity level, with a CVSS base score of 9.8. According to a study by KnownSec 404 Team, this vulnerability is presently under wild exploits. While they considered this vulnerability a bypass for the patch of a previously known bug (CVE-2019–2725), Oracle clarified that the recent vulnerability is unrelated to it. In a blog post, John Heimann, VP Security Program Management, clarified, Please note that while the issue addressed by this alert is a deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability. Oracle Released A Fix A number of researchers reported the new WebLogic zero-day vulnerability to Oracle. The bug allegedly affects Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0. Consequently, the vendors patched the bug and released the fix. Because of the severity of the vulnerability, and the active exploitations, Oracle recommends users to ensure a quick update of their respective systems. Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible. The KnownSec 404 Team also recommended some temporary solutions to mitigate the flaw. Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service. Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control. Source
  19. (Reuters) - Microsoft Corp and Oracle Corp on Wednesday said they reached an agreement to make their two cloud computing services work together with high-speed links between their data centers, targeting big business users and uniting against cloud computing leader Amazon.com’s Amazon Web Services. The two companies said the high-speed link between their data centers would start with facilities in the eastern United States and spread to other regions. They will also work together to let joint users log into to services from either company with a single user name and get tech support from either company. The move comes as both Oracle and Microsoft are courting large businesses and government customers considering moving computing tasks currently handled in their own data centers to cloud providers. “With Oracle’s enterprise expertise, this alliance is a natural choice for us as we help our joint customers accelerate the migration of enterprise applications and databases to the public cloud,” Microsoft’s cloud chief Scott Guthrie said in a statement. AWS, the largest cloud computing provider, is encroaching on many of those customers, including in Oracle’s historical stronghold in the database market. “With this alliance, our joint customers can migrate their entire set of existing applications to the cloud without having to re-architect anything, preserving the large investments they have already made,” Don Johnson, executive vice president of Oracle’s cloud infrastructure unit, said in a statement. Microsoft has previously inked a deal with German software maker SAP SE and Adobe Inc to make their services work better together. Ed Anderson, an analyst with research firm Gartner, said the move was a clear “jab” at AWS, especially for Oracle. “It’s no secret that Oracle views AWS as a major competitor in the database market,” he said. Anderson also said there remained some unanswered questions about the deal, such as whether customers would face data transfer fees for moving large amounts of information back and forth between services. But overall, Anderson said the move would likely benefit the companies by helping their pitch to large businesses already using services from both. “It’s a great way for both companies to be able to hitch their cloud offerings together,” Anderson said. Source
  20. Oracle releases its first Critical Patch Update of 2019, with vulnerabilities in Fusion Middleware leading the way. Oracle released its first Critical Patch Update for 2019 on Jan. 15, providing patches for 284 vulnerabilities. The January 2019 CPU addresses security vulnerabilities found across the Oracle software portfolio, including ones affecting database, middleware, Java, PeopleSoft, Siebel and E-Business Suite applications. Thirty-three of the vulnerabilities are identified as being critical with a Common Vulnerabilities Scoring System (CVSS) score of 9.0 or higher. CVSS is a standardized method for helping organizations understand the impact and severity of software vulnerabilities. "It's interesting that there are a bunch of CVSS scores 9 and above in the risk matrices," Mukul Kumar, chief information security officer and vice president of Cyber Practice at Cavirin, told eWEEK. "This demonstrates fertile hunting ground for hackers." Oracle updates its applications for security vulnerabilities in a quarterly cycle known as the Critical Patch Update. The January 2019 CPU marks a decline in the number of vulnerabilities patched from the previous CPU in October 2018, where Oracle patched 301 vulnerabilities. The 2019 patch count, however, is higher on a year-over-year basis, as Oracle patched 237 vulnerabilities in January 2018. Among the most impactful flaws patched this quarter, according to an analysis by ERP security firm ERPscan, is an issue in the Jython programming language that provides an implementation of the Python programming language in Java. Jython is used in multiple Oracle applications, including the Oracle Banking Platform. "The easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Banking Platform," ERPscan wrote in its analysis. "Successful attacks of this vulnerability can result in the takeover of Oracle Banking Platform." Oracle Fusion Middleware Overall, Oracle Fusion Middleware is getting the most patches of any Oracle product in the January 2019 CPU. A total of 62 vulnerabilities are being patched, with 57 of the issues identified by Oracle as being remotely exploitable without authentication. Oracle Fusion Middleware components are also used as a foundation in multiple areas of Oracle's portfolio. Additionally, Fusion makes use of other Oracle components including the company's namesake database. Oracle Database, however, is only tagged by Oracle for three new security fixes in the January CPU, and none of the issues is remotely exploitable without authentication. Oracle's MySQL database, however, is not as fortunate as the Oracle Database and is getting patched for 30 issues, of which only three are remotely exploitable without authentication. Oracle gained the MySQL database as part of the acquisition of Sun Microsystems, which was completed in January 2010 for $7.4 billion. Java Along with MySQL, Oracle also gained Java as part of the Sun acquisition. There was a time when Java was heavily scrutinized and often identified as a leading component in the Oracle portfolio for software vulnerability disclosures, but that's not the case in 2019. For the January 2019 CPU, Oracle is only patching five new security issues in Java, though all of the issues are remotely exploitable without authentication. That said, Kumar noted that with the Java patches this quarter, there aren't any that have a CVSS score over 6.1 While the total number of patches in Java are low, there are still risks, according to John Matthew Holt, founder and chief technology officer at Waratek. "This CPU could risk breaking binary compatibility for applications that rely on certain cypher configurations," Holt told eWEEK. "A reminder that CPU updates present significant risk to application operability, which is why we see prolonged/unpatched server-side applications." Holt added that Java patching overall is in need of an overhaul as compatibility issues are resulting in millions of exposed server-side applications—especially in enterprise organizations. "These applications are not being patched, and in some legacy systems they simply can't be patched, so it's only a matter of time before we see another Equifax headline," he said. Patching The challenge of patching Oracle enterprise applications is also one that security firm Onapsis is concerned about. Mike Miller, senior security architect at Onapsis, commented that when considering enterprise software, especially ERP systems such as the Oracle E-Business Suite, applying security patches is not always an easy process. Miller said that one of the difficulties, while it might sound easy, is identifying what patches to apply. For Oracle E-Business Suite, security patches are cumulative and a single security patch is released by Oracle for the entire E-Business Suite, not for individual modules. "While this might be straightforward, when you apply the latest security patch for Oracle E-Business Suite, you cannot forget about the supporting technology," Miller told eWEEK. "Applying security patches to the database does not do anything for E-Business Suite, nor does applying E-Business Suite security patches do anything for WebLogic. Identifying, testing and applying the full set of patches required to secure Oracle E-Business Suite is a challenge." Source
  21. (Reuters) - Oracle Corp on Monday forecast current-quarter profit above estimates after growth in its cloud services and license support unit helped the business software maker surpass Wall Street expectations for the second quarter. Shares rose 5 percent, with the company saying that excluding fluctuations in exchange rates, it expected third-quarter adjusted profit to be between 86 cents and 88 cents per share. Analysts on average were expecting 84 cents, according to IBES data from Refinitiv. Revenue at its cloud services and license support unit, its biggest, rose 2.7 percent to $6.64 billion and beat analysts’ estimate, as more companies shifted to cloud computing from the traditional on-premise database model to cut costs. Oracle’s in June created a new revenue reporting structure that merged its cloud and software license businesses, which analysts have said gives little insight into the standalone performance of its cloud unit. Oracle is a late entrant to the rapidly growing cloud-based software business, but has aggressively stepped up its efforts to catch up with rivals such as Workday Inc, Microsoft Corp and Salesforce.com Inc. “Oracle’s growth in cloud services and license support of just 3 percent appears to be contradicting the strength in the overall cloud market,” said Daniel Morgan, senior portfolio manager of Synovus Trust Co, which hold 152,500 shares in the company. Last month, Workday reported a 35 percent jump in cloud subscription revenue, while Salesforce’s flagship product Sales Cloud grew 11 percent. “Oracle is still dragging behind other old line enterprise software players like Microsoft in its transition to becoming a top cloud company,” said Morgan, whose firm also hold shares in Salesforce and Microsoft Corp. The company’s net income rose to $2.33 billion, or 61 cents per share, in the second quarter ended Nov. 30. Excluding items, the company earned 80 cents per share, beating the average analyst estimate of 78 cents. Total revenue fell marginally to $9.56 billion, but brushed past analyst expectation of $9.52 billion. Shares of the company were up at $48 in after-market trading. Source
  22. I've encountered a fatal bug in VirtualBox 4.2.18 after just normal installation, windows can't go sleep! and it's not shown in any powercfg / reports or processes ,so it took me lives to figure out which hinder sleep. I said I better note you people....
×
×
  • Create New...