Oracle Database 11.2.0.4 and 12.1.0.2 New CPU End Dates
With the upcoming on-premise release of Oracle Database 12.2.0.1, Oracle has updated the Critical Patch Update (CPU) security patch end dates for 11.2.0.4 and 12.1.0.2. Currently (as of January 2017), only 11.2.0.4 and 12.1.0.2 are supported for CPUs.
The CPU end-dates, which correspond with the end of Extended Support, have been extended to October 2020 for 11.2.0.4 and July 2021 for 12.1.0.2. The first year of extended support for both versions is free until December 2018 for 11.2.0.4 and July 2019 for 12.1.0.2.
All Oracle databases should be updated to either 11.2.0.4 or 12.1.0.2, which provides at least three years of CPU support. To ensure database security and minimize Oracle support costs, organizations should plan to upgrade 11.2.0.4 and 12.1.0.2 databases in 2018 and move to 12.2 at that time. All new databases should be 12.1.0.2 and look to begin production use of 12.2 in late 2017 or with the release of 12.2.0.2 in eary 2018.
For databases that are not currently upgraded to 11.2.0.4 or 12.1.0.2, you must mitigate the risk of not applying security patches as there are at least 27 moderate to high risk unpatched security vulnerabilities in unsupported versions. A number of these vulnerabilities allow any user, even with only CREATE SESSION, to compromise the entire database. At a minimum, you must harden the database, limit network access as much as possible, review access and privileges, and enable auditing and monitoring in order to potentially identify attacks and compromises.
See MOS Support Note 742060.1 for more information on Oracle Database version support.