The list of Oracle Database versions supported for Critical Patch Updates (CPU) is getting shorter and shorter. Starting with the October 2016 CPU, only 184.108.40.206 and 220.127.116.11 are supported. In order to apply CPU security patches for all other Oracle versions, the database must be upgraded to 18.104.22.168 or 22.214.171.124. As these are terminal database releases, the final CPU patch for 126.96.36.199 is July 2021 and for 188.8.131.52 is October 2020. For those who have not yet applied 12c CPU patches, only Patch Set Updates (PSU) are available which include both security fixes and a large number of high priority fixes - Security Patch Updates (SPU) which include only security fixes are not available for 12c.
The October 2016 CPU fixes 12 security bugs in 7 database components. Only the APEX (Application Express) security bug is remotely exploited without authentication – as with all APEX patches, this is a separate patch and upgrades APEX to 5.0.4.00.12.
This CPU should be considered HIGH risk due to the 5 security bugs that require only CREATE SESSION privilege in order to exploit. These bugs can be exploited by any database user and can be used to compromise the entire database.