Oracle 0 day

From: Andre van Winssen <>
Date: Fri, 5 Feb 2010 12:30:37 +0100
Message-ID: <>

Hi listmembers,

the exploit code as published on by Alex works against 11gR1 and 11gR2 using a database user that only has CREATE SESSION priv.

so production dba's : be warned. Obvious workaround is to revoke EXECUTE privilege from public on package SYS.DBMS_JVM_EXP_PERMS but impact of that revocation on your own database needs to be tested.

the blackhat movie ( is currently unavailable for some reason :-


Received on Fri Feb 05 2010 - 05:30:37 CST

Original text of this message