Which JVM is the security tool complaining about (what is the directory path, for example)?
My guess is that the tool is complaining about the older JVM that Oracle installs in order to run the Oracle Universal Installer and the other Java-based installation tools. If that's the case, those JVMs do not generally represent a security issue because they are not running anything on a day-to-day basis. They're only used by things like the OUI which only get invoked when someone wants to do something like install new software. Ideally, you'd be able to have the conversation with the security folks and explain that those older JVMs exist only for the limited purpose of running the OUI and the other configuration tools.
If the security folks want you to upgrade the Java version (as opposed to just installing patches to the older JVMs), that has a decent probability of breaking the various installation and configuration tools. That may not have much impact on a day-to-day basis but may make administration tasks in the future more challenging.
Thank you for the response, the scanner reported the issue at this path:
having this installed version:
and that the following versions would be OK, security-wise:
I attempted to apply the Oracle January SPU for Linux 22.214.171.124 (14841409) to the client and no patches were actually applied. OPatch reported that each patch "is not needed". Is there some other way to patch the Oracle installed Java version.
You cannot update the JDK version that ships with Oracle binaries. Pl see this MOS Doc
Is It Supported to Update /Upgrade the Default JDK/JRE in Oracle Home? [ID 1449674.1]
Pl see Table 1 in the README for patch 14841409 - was SPU for Oct 2012 applied ? If so, there are no new client related fixes in the Jan 2013 SPU