I just spotted this update on Cert's web site:
Essentially Enterprise Vault uses the Outside-In technology from Oracle to convert content to HTML (for indexing). This technology from Oracle has a security vulnerability in it, which Oracle have fixed.
Symantec's response is in this post:
Symantec has released an update to Symantec’s Enterprise Vault product suite to address these issues. Symantec recommends all Symantec Enterprise Vault product suite customers upgrade to Symantec Enterprise Vault 10.0.2 to address any possibility of threats of this nature.
Symantec Enterprise Vault 10.0.2 is currently available through normal update channels
It's another good reason to upgrade to Enterprise Vault 10.0.2