This vulnerability is in the IMPORT_JVM_PERMS procedure of the DBMS_JVM_EXP_PERMS package.
An authenticated, remote attacker could make a crafted call to IMPORT_JVM_PERMS to make the Java Virtual machine give the attacker the ability to run commands on the system, and to read and write files. Other database controls prevent the attacker from performing these actions. The restriction can be bypassed by making a crafted call to the SET_OUTPUT_TO_JAVA procedure in the DBMS_JAVA package, which can allow the attacker to run commands on the operating system with the privileges of the database process user. The execution of system commands could be taken advantage of to create a new user with DBA privileges.
Additionally, vulnerabilities in the Java implementation could allow an attacker to bypass Label Security by loading dynamic libraries into the database process. This action could allow the attacker to access restricted data.