I just learned the following, which I wanted to share with you.
One reason for using the 10.1.3.3 HTTP Server rather than the companion cd - Apache 2.0 - version is that no generic patchsets are ever issued for the Apache 2.0 version. It means that the MOD_OC4J component which comes with the 2.0 version always stays the same and neve
r receives any bug fixes. You can also more easily configure the base 10.1.3 HTTP Server as part of an OracleAS 10.1.3 cluster topology.
I had the idea that a stand alone OHS in the web tier (e.g. in the DMZ) would be a better setup as there are less points to attack, especially as there is a direct exposion to the Internet.
I'll try to switch to the AS 10.1.3.x version instead of the stand alone OHS to see if this solves my problem.
However I do not understand why Oracle keep different patch regimes with their software when they should share the same code base?