Oracle’s dangerous patching policy

Oracle releases a quarterly Critical Patch Update (CPU) and the most recent, released this April, apparently fixes 390 bugs across the Oracle software suite. 41 vulnerabilities are ranked as critical, five of which achieve a perfect CVSS score of 10. 200 of the vulnerabilities can be exploited remotely, without authentication.

I don’t understand why any vendor, in today’s cyber threat environment, would restrict itself to only releasing patches on a quarterly basis – the opportunity for application and system compromise in the intervening period is unacceptably high. Patching is a cornerstone of effective preventative cyber security – and vendors that fail to release patches quickly are in effect facilitating the activity of Bad Actors.

That raises a more strategic question: is it currently cyber-sensible to deploy Oracle products in a corporate environment?