I also noticed another post to the bugtraq mailing list this evening from Cesar Cerrudo of
Argeniss titled "
[Argeniss] Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package". The post describes the issue that Esteban Martinez Fayo found some months ago in the package OLAPSYS.CWM2_OLAP_AW_AWUTIL. Basically Oracle told Esteban that the issue was fixed in the July CPU but when he tested a patched 9iR2 system it was not fixed, 10gR1 was fixed. Esteban and Cesar contacted Oracle's security team and asked why it was not fixed, the said "
Our development teams neglected to do the backports. We are working on creating those backports now". Oracle has said the issue will be fixed in the October CPU. Argeniss say this is high risk vulnerability and Oracle should care more about protecting customers so they have released a workaround in the meantime. This workaround can be found here : http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILWorkaround.sql - (broken link) http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILWorkaround.sql
This workaround uses a procedure to loop through all users and roles granted execute privileges on
CWM2_OLAP_AW_AWUTIL and also from PUBLIC. Beware that running this could break applications that depend on these execute privileges. The script states this at the top.