Oracle refutes 'SSH hacking' slur

An investigation by Oracle has revealed the none of its systems were involved in launching a recent brute force attack on secure servers around the net.

From the beginning of May until earlier this week, "compromised computers" at Oracle UK were listed among the ten worst offenders on the net for launching attacks on servers which run SSH (secure shell) server software, according to statistics from servers running DenyHosts software to block SSH brute-force password attacks. DenyHosts is a script for Linux system administrators designed to help thwart SSH server attacks. Around 6,800 users contribute to the data it collects.

Oracle servers - recorded as active since 3 May - featured at number nine of DenyHosts list. The listing implied a computer (or multiple computers) at Oracle UK been compromised for weeks, allowing hackers to gain access to Oracle's bandwidth to hack other boxes elsewhere on the net.Following our inquiries last week, Oracle supplied us with a holding statement saying it was investigating the problem. The database giant concluded this investigation early this week. It says none of its systems were responsible for the attack.

"Security is a matter we take seriously at Oracle and our first priority is meeting customer needs and reducing their risk. As soon as Oracle was made aware of the situation we began an investigation, which is now complete. Oracle can confirm that none of its systems were responsible for an SSH brute force attack and the allegation of compromised computers at Oracle has been removed from the Deny Hosts website," it said.

So if DenyHosts's listing was erroneous how did the entry for the database giant get there in the first place. Reg reader Stephen has one theory:

"There are a couple of issues in the present DenyHosts that could cause a group to insert their favourite bad-guy site into the DenyHosts database. They all seem to be related to regular expression problems".

"I confirmed that one could insert false sites in by just spamming a bunch of sites with echo "string from oracle IP" as listed above. It is probably not the cause for this issue, but could be used as a cover," he adds.

We were unable to contact DenyHosts at the time of writing so the exact cause of the Oracle listing remains unclear.

Author: John Leyden

Read more ...

Oracle says CEO plans to sell up to 100 mln shares

NEW YORK (Reuters) - Oracle Corp. (Nasdaq:ORCL - news), the world's third-largest software maker, on Friday said Chief Executive Larry Ellison adopted a plan to sell up to 100 million of the company's shares over the next nine months.

Ellison also plans to gift almost 2 million shares to the Ellison Medical Foundation, which supports biomedical research.

Oracle said if Ellison completes all the sales and gifts detailed in the plan, he would own about 1.173 billion shares, or 22.7 percent, of Oracle's outstanding stock.

Based on their closing price of $20.61, the 100 million shares would be worth $2.06 billion. Earlier on Friday, Oracle's shares rose to their highest level in more than five years.

The Rule 10b5-1 trading plan adopted by Ellison allows corporate officers and directors to conduct prearranged stock trading if they don't have material, nonpublic information.

Forbes magazine ranked Ellison as the fourth-richest American in its annual list last September.

Reporting by Justin Grant and Lewis Krauskopf

Read more ...

Oracle patches 45 vulnerabilities in its databases

Oracle released patches for 45 flaws, 13 of which allow an attacker to exploit various Oracle products remotely without proper access credentials, in its latest round of quarterly Critical Patch Updates on Tuesday.

Among the products affected are multiple versions of the Oracle Database, Application Express, Secure Enterprise Server Search, Application Server, Collaboration Suite, E-Business Suite and the PeopleSoft customer-relationship management (CRM) software.

Seventeen of the 45 vulnerabilities affect revisions of Oracle’s Database Server (two are among the 13 that can be exploited remotely).

Here's a breakdown of the 45 fixes deployed in the July Critical Patch Update (CPU):

* 18 are for Oracle Database Server, with two that patch flaws that are remotely exploitable without credentials.

* One is for Oracle Application Express.

* Four are for Oracle Application Server, including three that patch flaws that are remotely exploitable.

* One is for Oracle Collaboration Suite, patching a flaw that can be exploited remotely.

* 14 are for on Oracle E-Business Suite, with six that patch flaws that are remotely exploitable.

* Seven are for Oracle PeopleSoft Enterprise, with one for a remotely exploitable flaw.

Secunia, a private security research firm, rated the patches "highly critical." The company noted that Oracle has not released enough details on some of the vulnerabilities to predict their impact but that other flaws "can be exploited to bypass certain security restrictions and conduct SQL injection attacks."For instance, one of the vulnerabilities, in Oracle’s Application Express (APEX), does not correctly "sanitize," or normalize, input passed via the password function before using it in SQL queries. (APEX is a free tool that allows building, deploying and managing secure web applications via a web browser.) This can be exploited to modify SQL queries by injecting arbitrary SQL code into the password field, according to Secunia.

Certain input processed by the DBMS_PRVTAQIS function suffer from a similar vulnerability and can also be exploited by a SQL injection, Secunia said.

While "Oracle is doing a pretty good job" of testing and fixing problems, most major software developers a falling down in creating secure code, said Bill Bartow, vice president of product management for Tizor, a database auditing company.

"Building secure code must be a fundamental of their code-development processes and has to be institutionalized across their environment," he said. "The industry could do a better job of testing their products for vulnerabilities before they ship them. A few [developers] are doing that, but the rest of the industry has a long way to go. Until they do, we’ll continue to see vulnerabilities [in enterprise applications]."

As part of its latest round of patches, Oracle also released what it called its "napply CPU" (pronounced "N Apply"). This feature helps customers who encounter merge conflicts when installing CPU patches, Oracle’s Eric Maurice said in a blog posting.

He said that napply CPU simplifies patch conflict-resolution procedures and speeds the resolution of security vulnerabilities. He called the napply CPU an "enhanced" offering for the Unix and Linux versions of the Oracle database server that groups "molecules" of security fixes in way that eliminates conflicts with other molecules within the server.

Oracle has scheduled its next round of Critical Patch Updates for Oct. 16.

Author: Jim Carr

Read more ...