here is a no-auth remote compromise of oracle db's from a few months back...
NGSSoftware Insight Security Research Advisory
Name: PLSQL Injection in Oracle Application Server
Systems Affected: Oracle Application Server 220.127.116.11, 10.1.2.2, 10.1.4.1
Vendor URL: http://www.oracle.com/
Author: David Litchfield [ davidl at ngssoftware.com ]
Reported: 9th October 2007
Date of Public Advisory: 15th July 2008
Advisory number: #NISR15072008
do you see what i saw?
it was publicly disclosed in july 08, but reported to the vendor in *oct 07*. no-auth remote compromise just hanging for the better part of a year...
i'm sorry, but if it really takes that long to dev a security patch, oracle is doing something really really wrong.
this is one of those times where (imho) dropping 0day to kick vendors in the arse is completely justified. not weaponized or anything, but get that info out there. how many other peeps found that vuln and didn't disclose? no one will ever know...