Oracle to issue 41 security patches

Vulnerabilities, of which 15 are severe, are across 'hundreds' of its products. Oracle Corp. will issue 41 security patches next Tuesday addressing vulnerabilities across "hundreds" of its products, the company said in a pre-release announcement.

More than 15 of those patches address flaws that were described by the company as being remotely executable without the need for authentication -- a class of vulnerability to which Oracle usually assigns its highest severity rating. Of these, nine are slated for Oracle Secure Backup, two for its Application Server product and five for its BEA Product Suite.

The company's Critical Patch Update next week will also include fixes for 10 vulnerabilities in its database products. None of these exploits, however, can be taken advantage of remotely without the attacker having access to a username and password first, the company said.

Among the affected products that were listed by Oracle in its pre-announcement were multiple versions of its database going back to Oracle database 9i, its E-business suite products and several versions of Oracle's WebLogic Server and Portal products.

The number of patches being released by Oracle in this round is about the same as the last quarter, when the company issued 36 security fixes.

By Oracle's standards those number are relatively small. There have been occasions when the company has issued considerably more patches in its quarterly updates. Its January 2006 update had 82 patches, while the same year's October update had 101.

As with every release, Oracle is imploring administrators to install the patches as soon as possible. But if history is any indication, a large number of the database patches, at least, are unlikely to be installed in a hurry.

A study of 305 database administrators released in January 2008 by security vendor Sentrigo Inc. found that two-thirds of those surveyed did not install Oracle's security patches at all, no matter how critical the vulnerabilities were.

Most appeared to be reluctant to bring production environments down for any length of time to implement security patches and were also concerned about the possibility of the fixes breaking applications.

Author: Jaikumar Vijayan @ www.computerworld.com

Read more ...

SAP wants Oracle to reveal software, support profit margins

SAP wants Oracle to reveal profit-margin information for JD Edwards and PeopleSoft software and support, according to a joint discovery statement filed this week in connection with Oracle's lawsuit against SAP.

In quarterly earnings reports, software vendors regularly trumpet statistics such as growth in earnings per share or the increase in revenue for general software categories, such as databases. But it is far from typical for companies to detail their profit margins for specific software product lines.

If such information were in the public domain, it could put Oracle at a disadvantage in negotiating with customers and provide "useful ammo" for its competitors, particularly Salesforce.com, said 451 Group analyst China Martens.

Oracle sued SAP in March 2007 for copyright infringement and other alleged violations, charging that workers at SAP's now-shuttered subsidiary TomorrowNow, a provider of third-party support for Oracle's PeopleSoft, JD Edwards and Siebel applications, had illegally downloaded material from Oracle's support systems and used them to court Oracle customers.

Meanwhile, SAP has said that TomorrowNow staff members were authorized to download materials from Oracle's site on behalf of TomorrowNow customers, but acknowledged that some "inappropriate downloads" had occurred. However, SAP has also said that Oracle's software remained in TomorrowNow's systems and has strongly rejected Oracle's claims of a broader pattern of wrongdoing.

Oracle has said its damages could top US$1 billion, but has not yet provided a specific figure.

SAP, meanwhile, states in the discovery document filed Monday that the information is "relevant to the calculation of Oracle's alleged damages."

"Under the Copyright Act, actual damages represent the injury to the market value of the copyrighted work at the time of infringement. In appropriate circumstances, this amount may be computed by determining the profits that would have accrued to plaintiff but for the infringement," it adds.

However, during discovery Oracle "has taken the position that it is unable to determine its profit margins on the two product lines that are at the center of this case," the filing adds. Oracle has refused to provide financial information to allow SAP to determine or make a "reasonable estimate of" its profits on the product lines, according to the filing. So, SAP wants the court to order Oracle to provide the "financial data necessary to attempt to determine Oracle's actual profit margins for the PeopleSoft and JDE products and support services."

SAP's motion comes some weeks before a settlement conference scheduled for Feb. 23. A judge has ordered both parties to turn in proposals for settlement that include specific dollar figures prior to the conference.

Oracle spokeswoman Deborah Hellinger declined comment on Wednesday.

"This filing speaks for itself and this is a normal part of the discovery process," SAP spokesman Andy Kendzie said of the company's request for the profit margin information.

SAP is not interested in dragging out the suit, he added. "We have always said that we would like this case to be resolved."

Author: Chris Kanaracus, IDG News Service

Read more ...

'Leap second' snafu affects Oracle clustering tool

Cluster Ready Services software is rebooting in some cases because of second added to 2008. The second that time-tracking scientists added to 2008 to adjust for the slowing of the earth's rotation is causing problems with Oracle Corp.'s Cluster Ready Services (CRS) software, the vendor said in a support document issued Monday. But it added that a pair of fixes are available.

CRS is used in conjunction with Oracle's Real Application Clusters software, which enables a single Oracle database to be deployed on a group of servers, or "nodes," in order to provide fault tolerance and increased scalability.

The "leap second event" is causing CRS nodes to reboot, according to the Oracle document that details the problem. The affected database platforms are Versions 10.1.0.2 to 11.1.0.7 of the Oracle Server Enterprise Edition, running on 64-bit Sun Solaris servers with CRS and Oracle patch sets 10.2.0.1 to 11.1.0.7.

Coordinated Universal Time, the world's time standard, needs to be adjusted in order to account for the differences that develop between UTC and the international atomic clock because of Earth's rotational speed. The addition of leap seconds are handled by the International Earth Rotation and Reference Systems Service, either at the end of June or December. The IERS, as the organization is known, added a second to Dec. 31.

As a result, Network Time Protocol daemons "had to adjust time accordingly, and the CRS product stack has encountered problems resulting in node reboots," Oracle said in its support document. NTP is used to synchronize the clocks of computers and relies on UTC to provide reference times.

The reboots will occur on affected nodes only under two specific conditions, which were detailed by Oracle. The document also spells out two methods for fixing the issue, including the installation of available patches.

A spokesman for Oracle didn't immediately respond to a request for further comment.

The rebooting issue has prompted some discussions on multiple user forums and mailing lists in recent days.

"This begs the question -- how the heck do timekeepers and politicians get away with last-minute time changes?" one user wrote. "Surely there's some pushback from technology-related interest groups to try and get more than four weeks' warning?"

Other posters, however, pointed out that the IERS made its announcement regarding the plan to add the most recent leap second last July.

Oracle's disclosure follows the problem that cropped up last week with some of Microsoft Corp.'s Zune media players. The affected devices froze up and wouldn't work on Wednesday, a snafu that Microsoft attributed to a bug in their internal clock drivers. The bug became an issue because 2008 was a leap year, Microsoft said.

Author: Chris Kanaracus @ www.computerworld.com

Read more ...