These last days have surprised us with several vulnerabilities on Oracle products. Here's a link for an Oracle report from Feb 4th:

http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html

Also it has been circulating a vulnerability that would allow any database user to access any filesystem file with oracle ownership. This is serious since the attacker could potentially delete database files, for example.

Workaround until next patch is easy, just remove execute privilege from PUBLIC to package DBMS_JVM_EXP_PERMS. Another one includes a DBA escalation (sysdba) via the DBMS_JAVA.SET_OUTPUT_TO_JAVA procedure. You can remove execution on the package, which is not the case for all of you that use the package for something else.

More details on http://secunia.com/advisories/38353/