This rumor is pure speculation because I have no way of validating the rumor. But from the general tight lips, and rushing about in panicked fashion by those who should know this rumor may be true.
@VKt7WnY indicates that Oracle Autonomous in the Exadata cloud has been down for four days. This is after the last critical security patch was "automatically" applied. @VGSNgTg pointed out some serious security holes that allow an attacker to remotely gain full access to the Oracle VM through a command buffer over flow or gaining access to SSH through the libssh bug.
What appears to have happened is the first real world test of the Oracle marketing hype for Autonomous. Who needs human thought when applying a security patch? Apparently a human with some insight could have prevented the complete rupture. Luckily very few people know about it due to the extremely limited number of customers using it.
A huge benefit of automatic patching is consequent improvements in security. If a security flaw or vulnerability is discovered, Oracle Autonomous Database will benefit from the fix as soon as that fix has been developed and tested by Oracle.
Looks like Autonmous patched its self into oblivion. Now who could have seen this coming?
libssh bug more like "oh SSH…"
Once admins get the Oracle patches in place, they will want to take a close look at the write-up for CVE-2018-10933, an authentication bypass for libssh that would allow an attacker to get into a target machine by sending a "SSH2_MSG_USERAUTH_SUCCESS" message when it expects a "SSH2_MSG_USERAUTH_REQUEST" message. That means any miscreant can log in without a password. As you can imagine, this is a very bad thing.
https://www.theregister.co.uk/2018/10/16/oracle_patch_bundle/
- Patches, Upgrades, and Security Fixes Are Applied Automatically, Without Downtime
Autonomous Database applies patches and updates automatically. And more importantly, these patches happen online, while the database keeps running. By leveraging technologies such as Real Application Clusters and Multitenant, the cloud service ensures that its databases are always available during patching. This not only minimizes downtime, but also makes sure that each customer’s database is always running on the latest updates.
The largest single cause of security breaches is systems that were not up-to-date with security patches. A huge benefit of automatic patching is consequent improvements in security. If a security flaw or vulnerability is discovered, Oracle Autonomous Database will benefit from the fix as soon as that fix has been developed and tested by Oracle.
Contrast this to on-site software installations, where there may be a lengthy delay while customers are notified, patches distributed, and then worked into each organization’s own maintenance cycle—which might take days or weeks. That’s a period during which the system is potentially vulnerable to attack or data loss. With the autonomous service, Oracle takes care of implementing the security fixes—and rolls them out without any downtime experienced by the customer.
https://www.forbes.com/sites/oracle/2018/10/10/what-makes-oracle-autonomous-database-truly-autonomous/#6b0a73f42de6
Can anyone confirm this rumor?