Thread regarding Oracle Corp. layoffs

Meltdown & Spectre prove that Oracle is no longer even trying in the systems space

Only two major CPU architectures have not received some sort of official response from their vendors regarding Meltdown & Spectre: SPARC and Itanium. Notice any pattern here?

Look at how seriously a REAL systems company takes this:

Meanwhile, all our poor customers hear from us is deafening silence. I've heard some people suggest that SPARC is not susceptible. I doubt that, but even if that were true, then why would we not be telling everyone who will listen that our chips are safe? The truth is probably that we don't even know yet. I bet ES wishes he kept a few more of the microelectronics team around right about now. Our customers are boned.

by | Post ID: @R7CM21j
1592 views | 21 replies (last )
Comment! It's anonymous! Reply to this post anonymously by submitting the form near the bottom of the page!

21 replies (most recent on top)

@R7CM21j-5vci : exactly

The security engineering was basically all in the Solaris team, which is mostly gone now.

Oracle has just implemented the generic linux patches for Meltdown/Spectre to the OUK, no engineering needed here.

We don't have no more any resource to analyse the issues with SPARC, and we are just waiting for Fujitsu to come up with something (both on SPARC fw and Solaris patch... Fujitsu has access to Solaris code), and meanwhile all SPARC customers are possibly exposed to the Spectre exploits (Meltdown is ineffective on SPARC)

This is why the so-called "public statement" (which is actually not public) is just referring to the availability of Intel-only patches

by | Post ID: @R7CM21j-5bci

"It would be interesting to know whether Google and Intel gave them advanced warning of the issues."

Actually they didn't, since Oracle is only recognized as a marginal tier3 HW vendor. Google alerted only Intel, AMD and ARM back in june17

Then Intel alerted some tier1 HW vendors, and ARM alerted Samsung.

by | Post ID: @R7CM21j-5oaz

They're probably waiting for the Linux code from Red Hat to fix the Linux systems.

Joyent has started fixing the issues so Oracle will probably wait for their changes and take the IP - until they learn the world diverged.

Perhaps they will ask Fujitsu for help with the SPARC stuff.

I was in a group that would have heard about the issue last summer but we weren't told. I'm guessing Oracle found out about it when details of it started to leak in December.

Who will be first to set up cryptomining operations on OPC and make the usage look low so the daily & weekly usage reports look normal? I read a story that an Oracle app server vulnerability was used precisely to do that last year and the perps made a tidy sum of money.

by | Post ID: @R7CM21j-5vci

We certainly knew about this before the the public did. Some non-OS software groups were let in on it back in December. As both an OS and CPU vendor, I'm sure Oracle would have been contacted last Summer like all the other vendors. There is no way they would have left us out.

We knew, sadly security just isn't our thing... God help our cloud users...

by | Post ID: @R7CM21j-5huc

Oracle is as incapable of dealing with this issues as it is in dealing with any number of other issues. Dead company staggering into its grave as customers run away and revered dry up. But hey LE and mH are having wild parties with all these Class of kids - isn’t that all that matters? Well, apparently it is !

by | Post ID: @R7CM21j-5jlu

Makes me wonder if Oracle received the same early disclosure of the vulnerability as Intel & Co. mid last year. Could imagine that a company (executives) that loves to make enemies everywhere might be “overlooked”.

by | Post ID: @R7CM21j-4kdi

Wow, this is really interesting. I know someone at HP who is working on these issues, apparently it's extremely complicated to deal with.

I suspect that Oracle just doesn't have the people to support doing anything about this, let alone looking into the details. I am not in the hardware area, but some severely stupid things were done in my area. Wrong people gone, code moved to India without any process.

The Oracle upper level management is completely clueless.... no doubt they just pulled up a big spreadsheet and without knowing anything about the people they were laying off, they just randomly chopped people out. Who knew those people might actually matter?

"Who knew healthcare could be so complicated?" DJT, supreme airhead in chief.

Same thing at Oracle.

by | Post ID: @R7CM21j-4kxq

There is an meltdownattack on Oracle executives ....

by | Post ID: @R7CM21j-4rmq

How embarrassing! They really don't care. Perhaps they've fired so many people they are incapable of responding properly.

If I were an Oracle systems customer, I would be extremely pissed right now. Pay big $$$ for support and find them asleep at the wheel when it matters.

It would be interesting to know whether Google and Intel gave them advanced warning of the issues.

by | Post ID: @R7CM21j-4dtd

The Register posted this 9 hours ago:

"Oracle has just told us it has no comment or statement about Meltdown/Spectre for now. Yet it sells x86 systems, runs an x86 cloud, has a Linux ... What do you think peeps?"

Oracle looks to be the only large or medium sized vendor without a response on:

by | Post ID: @R7CM21j-4qqi

ZFSSA is Solaris x86 based (hence does not have separate kernel / user address spaces) and does allow users to log in and drop to a shell. It would be possible to use one of the demonstrated exploits to intercept the root password.

ZFSSA is not intended to run customer code, other than workflow scripts, but there is nothing stopping anyone from running their own apps on it.

by | Post ID: @R7CM21j-4bue

ZFSSA does not run customer-supplied code so it does not need these patches.

by | Post ID: @R7CM21j-4ekz

They don't just need patches for Solaris, they also need them for the derivative products such as ZFSSA.

The longer it takes to patch their sh-- again, the longer everyone gets to mine coins at their expense.

by | Post ID: @R7CM21j-3iri

Itanium is safe by design regarding meltdown:

no out-of-order

no x86 (even with KAISER some x86 address spaces are mapped to the user space; as Itanium has no x86 (which was his dead), it is safe)

Itanium and Spectre...?

by | Post ID: @R7CM21j-2uwl

Ah, the good old "silent EOL" where Oracle stops supporting their products years or even decades before the published EOL date arrives. Sure, you can open a service request, but there are no more product engineers left of do any real investigation or fix anything. But you can chat with some random support dude in India who has probably never even seen a SPARC machine in his life.

by | Post ID: @R7CM21j-2iir

There is no way Oracle can or want to blow the trumpet for SPARC. Hardware business is a closed off chapter/book for Oracle.

A cynical view is that Oracle can see the situation to even accelarate the closure of it. Oracle probably hope that customers give up on the hardware early so that Oracle is not faced with legal period of support for existing hardware customers...

by | Post ID: @R7CM21j-2qke

Even hardware that doesn't F---ING exist yet is beating Oracle to the punch with a public statement.

by | Post ID: @R7CM21j-2yic

SPARC is safe against Meltdown simply because Solaris implemented KPTI long ago.

As far as I know, KPTI has not been ported to Solaris x86, so this OS is not safe. And most probably given the Solaris x86 resources available, it will never be ported.

SPARC, like ALL other cpus using BP / SE is not safe against Spectre, and a patch is needed. I strongly doubt anyone is working on this for SPARC, given the very few Solaris kernel engineers remaining in Oracle.

We will shortly (today or tomorrow) make the patches for OL for Meltdown and Spectre 1 available. Spectre 2 is not currently patchable, and this is true for everyone. But the way Spectre2 works, it will affect heavily only cloud services, on-prem should be reasonably safe.

by | Post ID: @R7CM21j-1lzf

Itanium is not an out of order speculating processor. It's freaky and really does seem to be safe at the hardware level. Pity they canned the whole concept now they need it

The other people who still haven't heard are MIPS customers. The embedded stuff is probably fine but nobody seems too sure about R10K

by | Post ID: @R7CM21j-1wvp

This is typical Oracle.

The claims that SPARC isn't affected by SPECTRE come from Oracle marketing and PR types. There has been no official statement from Oracle regarding SPECTRE.

The consensus among technical people is that SPARC is indeed vulnerable to SPECTRE.

The SPECTRE vulnerability is not specific to a particular CPU or architecture. It is found in any modern processor that has speculative execution and branch prediction. SPARC is one of these processors.

The burden of proof is on Oracle.

by | Post ID: @R7CM21j-1mrm

Believe me, the deafening silence is deafening!

Oracle should really put out a statement about this, even if it's to say they are still 'evaluating'. Keeping silent about this is giving us the impression that they simply no longer have sufficient Solaris based resources to handle this.

On the other hand, if the speculation that SPARC is not affected, then Oracle should be out there blowing a trumpet!

by | Post ID: @R7CM21j-1omi

Post a reply