Posts Tagged ‘Oracle’

Saas predictions for 2014

Friday, December 27th, 2013

While the bulk of enterprise software is still deployed on-premises, SaaS (software as a service) continues to undergo rapid growth. Gartner has said the total market will top $22 billion through 2015, up from more than $14 billion in 2012.

The SaaS market will likely see significant changes and new trends in 2014 as vendors jockey for competitive position and customers continue shifting their IT strategies toward the deployment model. Here’s a look at some of the possibilities.

The matter of multitenancy: SaaS vendors such as have long touted the benefits of multitenancy, a software architecture where many customers share a single application instance, with their information kept separate. Multitenancy allows vendors to patch and update many customers at once and get more mileage out of the underlying infrastructure, thereby cutting costs and easing management.

This year, however, other variations on multitenancy emerged, such as one offered by Oracle’s new 12c database. An option for the release allows customers to host many “pluggable” databases within a single host database, an approach that Oracle says is more secure than the application-level multitenancy used by and others. itself has made a shift away from its original definition of multitenancy. During November’s Dreamforce conference, CEO Marc Benioff announced a partnership with Hewlett-Packard around a new “Superpod” option for large enterprises, wherein companies can have their own dedicated infrastructure inside data centers based on HP’s Converged Infrastructure hardware.

Some might say this approach has little distinction from traditional application hosting. Overall, in 2014 expect multitenancy to fade away as a major talking point for SaaS.

Hybrid SaaS: Oracle has made much of the fact its Fusion Applications could be deployed either on-premises or from its cloud, but due to the apparent complexity involved with the first option, most initial Fusion customers have chosen SaaS.

Still, concept of application code bases that are movable between the two deployment models could become more popular in 2014.

While there’s no indication will offer an on-premises option — and indeed, such a thing seems almost inconceivable considering the company’s “No Software” logo and marketing campaign around the convenience of SaaS — the HP partnership is clearly meant to give big companies that still have jitters about traditional SaaS a happy medium.

As in all cases, customer demand will dictate SaaS vendors’ next moves.

Geographic depth: It was no accident that Oracle co-President Mark Hurd mentioned during the company’s recent earnings call that it now has 17 data centers around the world. Vendors want enterprise customers to know their SaaS offerings are built for disaster recovery and are broadly available.

Expect “a flurry of announcements” in 2014 from SaaS vendors regarding data center openings around the world, said China Martens, an independent business applications analyst, via email. “This is another move likely to benefit end-user firms. Some firms at present may not be able to proceed with a regional or global rollout of SaaS apps because of a lack of local data center support, which may be mandated by national data storage or privacy laws.”

Keeping customers happy: On-premises software vendors such as Oracle and SAP are now honing their knowledge of something SaaS vendors such as NetSuite and had to learn years earlier: How to run a software business based on annual subscriptions, not perpetual software licenses and annual maintenance.

The latter model provides companies with big one-time payments followed by highly profitable support fees. With SaaS, the money flows into a vendor’s coffers in a much different manner, and it’s arguably also easier for dissatisfied customers to move to a rival product compared to an on-premises deployment.

As a result, SaaS vendors have suffered from “churn,” or customer turnover. In 2014, there will be increased focus on ways to keep customers happy and in the fold, according to Karan Mehandru, general partner at venture capital firm Trinity Ventures.

Next year “will further awareness that the purchase of software by a customer is not the end of the transaction but rather the beginning of a relationship that lasts for years,” he wrote in a recent blog post. “Customer service and success will be at the forefront of the customer relationship management process where terms like retention, upsells and churn reduction get more air time in board meetings and management sessions than ever before.”

Consolidation in marketing, HCM: Expect a higher pace of merger and acquisition activity in the SaaS market “as vendors buy up their competitors and partners,” Martens said.

HCM (human capital management) and marketing software companies may particularly find themselves being courted. Oracle, SAP and have both invested heavily in these areas already, but the likes of IBM and HP may also feel the need to get in the game.

A less likely scenario would be a major merger between SaaS vendors, such as and Workday.

SaaS goes vertical: “There will be more stratification of SaaS apps as vendors build or buy with the aim of appealing to particular types of end-user firms,” Martens said. “In particular, vendors will either continue to build on early industry versions of their apps and/or launch SaaS apps specifically tailored to particular verticals, e.g., healthcare, manufacturing, retail.”

However, customers will be burdened with figuring out just how deep the industry-specific features in these applications are, as well as gauging how committed the vendor is to the particular market, Martens added.

Can’t have SaaS without a PaaS: threw down the gauntlet to its rivals in November, announcing Salesforce1, a revamped version of its PaaS (platform as a service) that couples its original offering with tools from its Heroku and ExactTarget acquisitions, a new mobile application, and 10 times as many APIs (application programming interfaces) than before.

A PaaS serves as a multiplying force for SaaS companies, creating a pool of developers and systems integrators who create add-on applications and provide services to customers while sharing an interest in the vendor’s success.

Oracle, SAP and other SaaS vendors have been building out their PaaS offerings and will make plenty of noise about them next year.


Oracle to release 86 security patches, including 18 for MySQL

Friday, January 11th, 2013

The company posted a preview of its latest quarterly patch batch, which is scheduled for Tuesday

Two of the MySQL vulnerabilities can be exploited by an attacker remotely without the need for a user name and password, according to a pre-release announcement posted on Oracle’s website. At least one has a “base score” of 9.0 on the CVSS (Common Vulnerability Scoring System), which runs from 1 to 10, with 10 being the most dangerous.

The patch batch, which is scheduled for Tuesday, also includes one fix for Oracle’s flagship database, including versions 10g R2, 11g R1 and 11gR2. While the vulnerability in question also has a CVSS base score of 9.0, it can’t be exploited remotely without credentials, according to the announcement.

But another five patches will be shipped for Oracle Database Mobile/Lite Server, and all of them are remotely exploitable without requiring authentication, Oracle said. This grouping’s highest CVSS base score is 10.0, according to Oracle.

Various components of Oracle Fusion Middleware, including WebLogic Server and Access Manager, will receive seven patches.

Some 13 patches concern Oracle Enterprise Manager Grid Control. All are exploitable remotely without credentials.

The remaining fixes set to ship Tuesday cover Oracle applications such as E-Business Suite and JD Edwards, as well as the Sun Storage Common Array Manager and Oracle’s virtualization technology.

Oracle’s last patch release, which came in October, fixed 109 problems.


Oracle Database suffers from “stealth password cracking vulnerability”

Monday, September 24th, 2012

A weakness in an Oracle login system—used in the company’s databases which grant access to sensitive information—makes it trivial for attackers to crack user passwords and gain entry without authorization, a researcher has warned.

The issue has been dubbed the “Oracle stealth password cracking vulnerability,” by the researcher who discovered it, and the problem stems from a session key the Oracle Database 11g Releases 1 and 2 sends to users each time they attempt to log on, according to a report published Thursday by Threatpost. The key leaks information about a cryptographic hash used to obscure the plaintext password. The hash, in turn, can be cracked using off-the-shelf hardware, free software, and a variety of attack methods that have grown increasingly powerful over the past decade. Proof-of-concept code exploiting the weakness can crack an eight-character alphabetic password in about five hours using standard CPUs.

Oracle engineers have corrected the problem in version 12 of the authentication protocol, but they have no plans to fix it in version 11.1, security researcher Esteban Martinez Fayo told Threatpost. Even in version 12, the vulnerability isn’t removed until an administrator changes the configuration of a server to use only the new version of the authentication system. Oracle representatives didn’t respond to an e-mail seeking comment for this story.

There are no overt signs when an outsider has targeted the weakness, and attackers aren’t required to have “man-in-the-middle” control of a network to exploit it. That’s because the session key is sent whenever a remote user sends a few network packets or uses standard Oracle desktop software to contact the database server. All an attacker needs is a valid username on the system and a rudimentary background in password cracking.

The best way to prevent attacks that exploit the vulnerability is to install the patch and make the necessary configuration changes. Even those who continue to use vulnerable systems can take precautions that will go a long way. Passwords for all users should be randomly generated and contain a minimum of nine characters, although 13 or even 20 characters is better. The strategy here is to create a passcode that will take months or years to crack using brute-force methods, which systematically guess every possible combination of letters, numbers, and symbols.

More coverage of the Oracle Database weakness from Dark Reading is here.


Release of exploit code puts Oracle Database users at risk of attack

Tuesday, May 1st, 2012
Release of exploit code puts Oracle Database users at risk of attack

An attack devised by security researcher Joxean Koret allows hackers to hijack legitimate client connections to systems running Oracle’s flagship Database Server.

Oracle has declined to patch a critical vulnerability in its flagship database product, leaving customers vulnerable to attacks that siphon confidential information from corporate servers and execute malware on backend systems, a security researcher said.

Virtually all versions of the Oracle Database Server released in the past 13 years contain a bug that allows hackers to perform man-in-the-middle attacks that monitor all data passing between the server and end users who are connected to it. That’s what Joxean Koret, a security researcher based in Spain, told Ars. The “Oracle TNS Poison” vulnerability, as he has dubbed it, resides in the Transparent Network Substrate Listener, which routes connections between clients and the database server. Koret said Oracle learned of the bug in 2008 and indicated in a recent e-mail that it had no plans to fix current supported versions of the enterprise product because of concerns it could cause “regressions” in the code base.

“This is a 0day vulnerability with no patch,” Koret wrote in a post published Thursday to the Full-disclosure security list. “Oracle refuses to patch the vulnerability in *any* existing version and Oracle refuses to give details about which version will have the fix.”

He told Ars he was concerned the vulnerability may come under attack after he inadvertently released bug details and proof-of-concept exploit code a day earlier. Koret said he published that report after Oracle earlier this month publicly recognized him by name for his report and later provided him with a tracking number that indicated the contribution related to his discovery of the TNS Poison vulnerability.

Only after Koret published his detailed advisory did he learn that the bug wasn’t being removed from current versions of Oracle Database. Rather, he said, an e-mail he received from a member of Oracle’s security team indicated only future versions of the enterprise package would be fixed to remove the bug. The message went on to suggest current versions would not be updated because of concerns they might be corrupted by the changes.

“The fix is very complex and it is extremely risky to backport,” the Oracle e-mail stated. “This fix is in a sensitive part of our code where regressions are a concern. Customers have requested that Oracle not include such security fixes into Critical Patch Updates that increases [sic] the chance of regressions.”

When Koret pressed Oracle to explicitly say if engineers planned to allow the bug to remain in current versions, an Oracle employee responded:

“To protect the interest of our customers, we do not provide these level of details (like versions affected) for the issues that are addressed as in-depth. The future releases will have the fix.”

Oracle representatives didn’t respond to multiple e-mails seeking comment for this article.

Oblivious to attack

A TNS Listener feature known as remote registration dates back to at least 1999 with version 8i of the Oracle Database. By sending a simple query to the service, an attacker can hijack connections legitimate users have already established with the database without the need of a password or other authentication. From then on, data traveling between legitimate users and the server pass through the connection set up by the attacker.

“The attacker owns the data as almost all the connections go through the attacker’s box,” Koret wrote in his detailed advisory. “The attacker can record all the data exchanged between the database server and the client machines and both client and server will be oblivious of the attack.” Attackers can also use the connection to send commands to the server that instruct it to add, delete, or modify data. Attackers could also exploit the bug to install rootkits that take control of the server itself, he told Ars.

“Regarding the server side, yes, it can be used to install, for example, a database rootkit, if a DBA (database administrator) connection is captured in the man in the middle (or by capturing a normal user’s session and then using a privilege escalation vulnerability, something not that hard),” he wrote in an e-mail to Ars. “Also let’s say that an attacker finally gained DBA access to the database: (s)he then is capable of executing operating system commands with the privileges of the running user.” On servers running Microsoft Windows, the Oracle Database runs as a Local System, giving an attacker significant control. Systems running Unix-based operating systems have more limited control, but attackers could possibly exploit other vulnerabilities to elevate those privileges.

TNS Listener can be set up to listen for connections over the Internet, Koret warned. This makes it possible for the vulnerability to be exploited remotely over the Internet. Fortunately, Koret said, such Internet-wide configurations are rare. In those cases, attackers would require access to the private network hosting the database server.

The lack of a fix is compounded by Koret’s inadvertent disclosure of detailed instructions for exploiting the vulnerability. Making matters worse, Oracle has yet to confirm or deny Koret’s claim that there will never be a fix for current versions of the database product.

That means it’s up to Oracle customers to lower their exposure to the vulnerability. Koret’s initial post includes a list of “possible workarounds.” One such technique involves setting up load balancing on client machines and updating their configuration to include a full list of Oracle RAC nodes. Another possible mitigation is to update the protocol.ora or sqlnet.ora files on vulnerable servers to check for valid nodes. Customers who have bought the Oracle Advanced Security feature can also lower the risk of attack by mandating the use of secure sockets layer authentication between clients and servers.

On Monday afternoon, Oracle released its own list of mitigations and strongly urged customers to implement them right away.

“Considering that the technical details of vulnerability CVE-2012-1675 have now widely been distributed, Oracle highly recommends that customers make the configuration changes documented in the above mentioned My Oracle Support Notes as soon as possible,” Oracle’s Eric Maurice blogged. “Customers should also feel free to contact Oracle Support if they have questions or concerns.”


Oracle claims new MySQL Cluster does 1 billion queries per minute—in NoSQL

Friday, February 17th, 2012

Oracle has announced the general availability of MySQL Cluster 7.2 as a GPL download, and claims to have achieved a benchmark of 1 billion queries per minute and 110 million updates per minute on an eight-server cluster. Those results, based on the flexAsynch test in the DBT-2 benchmark, were attained using a new NoSQL NDB C++ API.

Mikael Ronstrom, senior MySQL architect at Oracle, described the test rig for the benchmark in a blog post on February 15. He said that the server cluster used in the test ran on eight two-socket servers, each running one data node, “using X5670 with Infiniband interconnect and 48GB of memory per machine.” Ten other machines ran the flexAsynch queries against the cluster.

In the flexAsynch test, “each read is a transaction consisting of a read of an entire row consisting of 25 attributes, each 4 bytes in size,” he wrote. “flexAsynch uses the asynchronous feature of the NDB API which enables one thread to send off multiple transactions in parallel. This is handled similarly to how Node.js works with callbacks registered that reports back when a transaction is completed.”

The results were a eight-fold improvement from a similar benchmark ran by Oracle last year. But given that there aren’t any published results anywhere else for flexAsynch scores from any other vendor, it’s hard to say exactly what these results mean, or how the performance compares to other open-source NoSQL databases.