Re: Open source based vulnerabilities
What actually happen is that you call Oracle Support about a well-known vulnerability on a commonly used piece of FOSS, and ask then when they'll have a patch.
Then, they answer that they cannot confirm nor deny the existence of that particular vulnerability.
The quarterly update is problematic, since PCI-DSS compliance compels to fix important vulnerabilities at most one month after a fix is released by the vendor. Oracle splits hairs there, arguing that *they* are the vendor, not upstream, so basically, the clock starts ticking only after the CPU is released.
That's very good for people only interested in security theater, but in practice, it means you can have *months* of exposure to a known (and exploited!) vulnerability, during Oracle will not even acknowledge it exists, let alone help you avoid it.
In some of the worst cases, the RHEL updated RPM was available a couple of days after upstream published a fix, while Solaris got the very same weeks, or months later.
And that's only about the FOSS bits they use. For their proprietary code, they say nothing about what vulnerabilities are. So you know they exist, you know they've got high scores, but have no idea if they are exploitable/were exploited in your environment.
All that is not fun to explain to auditors, and soon it just becomes easier to dump Solaris.