I was doing the owasp fixes in my application and came across CVE-2016-3506 - Ojdbc7, As per my analysis I could find that there will be a patch update to oracle database that could be a possible fix for this issue(https://www.oracle.com/security-alerts/cpujul2016.html .Does this means that I can continue to use the same ojdbc7 jar? Can an unpatched ojdbc client where the vulnerability exists impact/leverage this vulnerability in a database even if the CPU patch is applied to the database, or are only unpatched databases vulnerable? As I am working on a maven project and the Ojdbc7 jar are kept on a central repo can I continue to use the same ojdbc7 jar or any patch updates are required on ojdbc7 jar also?