Oracle and Java exploits - An anecdote:-
A couple of weeks ago I tried to log into my superannuation account, the browser fired back an authentication error, so I notified the company (MLC) who asked me to send them as many technical details as I could. After a little bit of looking around, I noted that the Oracle Access Management system that gave me the error code was was at version (184.108.40.206.0). Oracle's currently version was 220.127.116.11.0. Not too surprising, a supplier that had not patched to the current version.
What did surprise me was that Oracle's Identity Management Patch Set that was available for the version displayed was >2GB - A compressed Java application and framework for a database authentication application that was over 2 Gigabytes in size .
It has been a few years since I wrote any Oracle stuff, but that is ridiculous, what the hell have web based script kiddy/Java type developers been up to. Admittedly I started with Oracle in the Stone Age (V3) and actually shipped an application that used V4. By V6 the C interface which included all the necessary external validation code was small enough to be easily understood and modifiable by a single programmer. My memory is going now, but I seem to remember that in the 1990s all of the code for an early web CGI Oracle interface, including user validation would fit on a floppy.