Oracle Database Server contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands with the privileges of the database user.
The vulnerability is due to a security weakness in the JAVA_ADMIN role. An attacker with the JAVA_ADMIN role and privileges to create procedures could exploit the vulnerability to run arbitrary commands on the underlying operating system with the privileges of the database server. Code execution could allow the attacker to escalate his privileges to those of OSDBA.
Functional exploit code is publicly available.
Oracle has not confirmed this vulnerability and updated software is not available.