Oracle produces bloated, buggy software...
... Then sticks head in sand and denies there's a problem.
Shock, horror. In other news, water found to be wet, and bears do indeed relieve themselves in the woods.
Oracle has a 'huge, massive, ginormous' attack surface, according to one prolific and proven researcher who reckoned he gave up looking because there are too many vulns. The security tester (who requested anonymity because his presentation wasn't approved by his employer) for one of the biggest tech firms found 50 …
So true. I once tracked down an LDAP issue in a program to its use of the Oracle DB client - which, it turns out, included all of OpenLDAP and exported the symbols from it. So the program was binding to Oracle's OpenLDAP functions instead of the ones in the actual OpenLDAP library, with consequent mixed-runtime badness.
There's no reason for a database client library to expose a whopping great unrelated API to its callers. That's just lazy - and dangerous.
I think the Oracle developers believe attack surface is a feature. "Look, I've doubled the size of my attack surface!"
Everyone in InfoSec knows that each Oracle application you use on your network decreases your security posture immensely. We stopped using all Oracle products over a year ago and have gotten rid of any applications using Java. Makes patching much easier.
Every application and OS will need patching, but when you take over 2 years to fix some items and use the general public at large to do your security testing (while charging them to use the product)... it just isn't worth the risk.