Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with additional fee Tier 1 support contracts. As of December 2016, no more CPU patches are available for Oracle E-Business Suite 11i. October 2016 is the last CPU patch for Oracle E-Business Suite 11i. For 12.0, the last CPU patch was October 2015.
Even though there are no more security patches, many, if not most, vulnerabilities discovered and patched in Oracle E-Business Suite 12.x are also present and exploitable in 11i. A significant number of these security bugs are SQL injection bugs which allow an attacker to execute SQL as the Oracle E-Business Suite APPS database account. These attacks can easily compromise the entire application and database.
As there are no more security patches for 11i and 12.0, we strongly recommend all 11i and 12.0 customers who have not yet upgraded to 12.x take immediate defensive steps to protect the Oracle E-Business Suite 11i, especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport. A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.
Reference: AppDefend for the Oracle E-Business Suite