As of December 2016, Oracle has extended Critical Patch Update (CPU) support for Oracle E-Business Suite 11.5.10 until October 2017 for additional fee Tier 1 support/Advanced Contract Support (ACS) customers. Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with Tier 1/ACS support contracts. See My Oracle Support Note ID 1596629.1 for more information.
Almost all security vulnerabilities discovered and patched in Oracle E-Business Suite 12.x are also present and exploitable in 11i. A significant number of these security bugs are SQL injection bugs allow an attacker to execute SQL as the Oracle E-Business Suite APPS database account. These attacks can easily compromise the entire application and database. In the past year, Oracle has fixed 250 security vulnerabilities in Oracle E-Business Suite 11i and R12.
Oracle E-Business Suite 11i customers without Tier 1 support, as well as 12.0 customers, should take immediate take immediate defensive steps to protect the Oracle E-Business Suite 11i, especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport. A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.