Hi listmembers, the exploit code as published on http://blog.red-database-security.com/ by Alex works against 11gR1 and 11gR2 using a database user that only has CREATE SESSION priv. so production dba's : be warned. Obvious workaround is to revoke EXECUTE privilege from public on package SYS.DBMS_JVM_EXP_PERMS but impact of that revocation on your own database needs to be tested. the blackhat movie ( https://media.blackhat.com/bh-dc-10/video/Litchfield_David/BlackHat-DC-2010-Litchfield-DefeatSSL-video.mov) is currently unavailable for some reason :- Regards, Andre