Oracle still hasn't patched the vulnerability the group has been using in its attacks since late May.