Oracle and security. What a sad joke!
Their critical patch update is a complete nightmare to apply, to put it mildly.
It looks like they might be addressing some of the zillions of problems with their source code, but what’s important with security fixes is how you deploy them.
Oracle hasn’t a clue about this.
My approach is once you have a database installed (that’s a miracle in itself), limit it to “trusted user” IPs with /etc/hosts.allow or firewall filtering. And pray.