Well, that makes me feel better at least - that I'm not alone in scratching
my head over it I mean. Seems crazy to ship out a product that contains
significant vulnerabilities when they could re-package it with a known good
java version.
Chris
On Thu, Nov 12, 2015 at 5:33 PM, Tim Hall <tim@xxxxxxxxxxxxxxx> wrote:
Well:
1) Many (but not all) of the major security alerts around Java6 have
actually been on the client side, when running the Java plugins in
browser, so server side Java is not so much of a problem (insert
caveats here).
2) Cloud Control is not for public access, so...
3) WebLogic 11g (10.3.6) is still by far the most popular version at
this time. Oracle Fusion Apps is currently built on WebLogic 11g
10.3.6 using ADF 11.1.1.9. To my knowledge, it has not been migrated
to WebLogic 12c yet. With that in mind, it's hardly surprising other
projects have not moved forward yet.
4) The teams in Oracle each have their own deadlines and
time-to-market pressures mean they rarely use the latest products.
Testing your code base against a later release of the software takes
time that could be spent adding new features. This happens to all of
us. :)
5) Cloud Control is a shrink-wrapped application. You shouldn't be
using it for your own stuff, so why do you care what it's built with,
provided it passes your external penetration testing? I treat it like
a black box.
6) Oracle teams very rarely seem to look outside of themselves for
best practices provided by other teams. As proof I offer you the
database installations associated with eBusiness Suite, which don't
seem to follow simple best practices that I would consider DBA101.
Even if you are a good DBA, you have to check your real DBA hat in and
pick up a Oracle Apps DBA hat before doing any work on them, because
if you do things "correctly", the apps die. :)
This is not a defence of it, it's just an observation. I made a
similar comment about Java 6 when I first installed 12.1.0.5.
https://oracle-base.com/blog/2015/06/17/oracle-enterprise-manager-cloud-control-12c-release-5-12-1-0-5-my-first-two-installations/
I too get a little frustrated by this, but it is what I've come to
expect of nearly every large software vendor. Check out what's under
the hood of Microsoft BizTalk Server and you will see much the same
issues. It's cobbled together with loads of old bits of software, but
sold as a current "enterprise" solution... :)
Cheers
Tim...
