For the first time in years there is a new “0-day” exploit for Oracle databases (this one). I can’t find where this was originally posted, but it seems that whoever discovered this vulnerability didn’t notify Oracle that this bug existed before the exploit was in the wild.

Let me be very clear about this: security researchers generally do a great job, but a bug that is this severe shouldn’t be released before the vendor has a chance to create a patch. Kudos for Oracle for releasing an update this soon!