June 9, 2017—First it was "holistic security." Now it’s "virtual patching." Rimini has announced yet another inadequate response to real-world security challenges. Rimini Street’s June 7, 2017 announcement to resell a virtual patching product is not an offer to deliver software security patching in the true sense of the word. Oracle believes that neither holistic security nor virtual patching is sufficient to protect your Oracle systems from intrusion in an interconnected network, as the actual Oracle code is not updated. Only Oracle can provide security at every layer in our software stack because we can modify our source code to deliver updates that address vulnerabilities posed by emerging threats.
Virtual patching is generally used as a term for web application firewalls. Firewalls alone are insufficient, as they are neither impenetrable nor do they provide protection from internal breaches. Only Oracle can provide critical security for Oracle software and for our customers’ systems by correcting identified vulnerabilities within the source code of the software itself.
The creators of the virtual patching software that Rimini is reselling, McAfee, agree that virtual patching is no substitute for patching software. In its own white paper about virtual patching, McAfee advertises virtual patching as "eliminat[ing] the risk exposure until IT can appropriately patch the systems during the next regularly scheduled patch cycle." In other words, virtual patching buys a customer more time to apply patches, rather than substituting for vendor security offerings. The Department of Homeland Security has advised repeatedly against using old or unpatched software, noting that "[t]imely patching is one of the lowest cost yet most effective steps an organization can take to minimize its exposure to the threats facing its network." Rimini stands alone in claiming that patching software (or using outdated software) is not a security risk.
Rimini’s announcement to resell a virtual patching product is also limited in scope. Their announcement only references databases and makes no reference to Oracle Applications including Oracle E-Business Suite, JD Edwards, PeopleSoft, Siebel, and more. None of the critical vulnerabilities Oracle has patched in Oracle Applications would be protected by use of this technology.
With respect to database vulnerabilities, virtual patching technology is potentially useful only if the database vulnerabilities that are exploited are showing identifiable patterns of network traffic that the virtual patching technology can "see." What if unrecognizable network traffic patterns or new methods are being used to attack those databases which are not visible to the virtual patching firewall? If the technical details of security vulnerabilities are not published, this means Rimini virtual patching would be "blind" to these kinds of vulnerabilities. Oracle does patch such vulnerabilities as it discovers them.
There is no substitute for patches that modify code and protect systems from vulnerabilities. There is also no substitute for proactive change management processes. Combining the two together in a consistent release management process is the best way to achieve the levels of security our customers require to protect their systems and data. And Oracle believes that there is no real dispute that the best way to correct an identified vulnerability within the source code is with a patch provided by the software vendor. The fact remains, only Oracle can do this for Oracle software.
May 12, 2017—US-CERT has received multiple reports of WannaCry ransomware infections in many countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.
Ransomware spreads easily when it encounters unpatched or outdated software. The WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). For information on how to mitigate this vulnerability, review the US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010 (link is external). Users and administrators are encouraged to review the US-CERT Alert TA16-091A to learn how to best protect against ransomware. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).
Q. And, in fact, you actually told customers that [security updates] weren’t necessary, and they—you told them they weren’t necessary, right?
A. Yes, because it’s an outdated model relative to what we call holistic security today.
Q. Yeah. All right. Holistic security means don’t put security in the software, just put it in the firewall at your place of business, right?
A. It’s actually the most innovative version available today for security people, yes.
Q. [Mr. Ravin] said it was called holistic security....Do you have any reaction to that?
A. I do. That’s totally ridiculous. It’s completely and totally ridiculous.
A. Because you must patch software vulnerabilities in order to avoid being vulnerable. If all you do is you set up firewalls around systems, you are making a grave, grave mistake...I think that if you do not provide security fixes, security patches of software, you cannot possibly claim to be providing support.
"Before the trial began, a federal judge determined that Rimini Street and Seth Ravin infringed Oracle’s intellectual property rights in the PeopleSoft and Oracle Database product lines. After two weeks of trial, a federal jury found that Rimini also infringed Oracle intellectual property rights in the JD Edwards and Siebel product lines. That same jury awarded Oracle more than $50 million in damages for that infringement and violations of laws protecting computer systems. Oracle further intends to seek an injunction barring Rimini from continuing to operate its business based on massive infringement. This case certainly was not about an honest dispute over licensing terms, as Rimini pretends. It was about IP theft, pure and simple. Rimini and Seth Ravin got caught, and now they have to pay. Oracle will aggressively pursue its claims in the second lawsuit pending against Rimini for the infringement and other misconduct that occurred after the dates at issue in the first trial."—Deborah Hellinger, Vice President, Oracle Corporate Communications
September 23, 2016—It took Rimini Street less than 24 hours to concoct a press release that marks a new low for dishonesty, even for a company that has engaged in "significant litigation misconduct." Today, Rimini is lying to customers and the general public in claiming that "The Court noted that ’Rimini’s ability to compete against Oracle in the software support service market would not be lost with an injunction, and thus, the public would still have access to competition in that market.’ "
What the Court actually wrote was that "Rimini has repeatedly represented to the court that its current business model is not based on its prior infringing conduct. Taking defendants’ statements as true, then Rimini’s ability to compete against Oracle in the software support service market would not be lost with an injunction, and thus, the public would still have access to competition in that market." (Emphasis added.) Rimini is thus telling customers that Rimini’s own representations to the Court are findings by the Court, and that is simply false. Further, to the extent anyone is tempted to accept Rimini’s representations to the Court as true—which would be dangerous considering the Court found Rimini engaged in "significant litigation misconduct"—it should be noted that Rimini also has represented to the Court "If the Court enters the proposed injunction, Rimini could suffer significant harm to its lawful business and to its ability to litigate contested conduct in the second action still pending in this Court."
Oracle recommends that customers read the Court’s opinion for themselves, as customers should be gravely concerned about doing business with a company that has shown "callous disregard for Oracle’s copyrights and computer systems," and that built its business model "entirely on its infringement of Oracle’s copyrighted software and its improper access and downloading of data."—Deborah Hellinger, Vice President, Oracle Corporate Communications