Oracle Database Server contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary code as the OSDBA user.
The vulnerability is due to a design error in the database. An attacker with EXECUTE permissions on a directory and CREATE TABLE privileges could exploit this vulnerability to execute arbitrary code with OSDBA privileges. The attacker could also run commands on the underlying operating system with the privileges of the Database Server process. Exploitation could lead to a full compromise of the affected database.
Functional exploit code is publicly available.
Oracle has not confirmed this vulnerability and updated software is not available.