It was discovered that JAXP the CharInfo object did not properly prevent access to arbitrary files when a SecurityManager is present. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
Fixed now in Oracle Java SE 5.0u75, 6u75, 7u55 and 8u5 via Oracle Critical Patch Update Advisory - April 2014. Fixed in IcedTea6 1.13.3 and IcedTea7 2.4.7: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027214.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027222.html External References: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0407 https://rhn.redhat.com/errata/RHSA-2014-0407.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0406 https://rhn.redhat.com/errata/RHSA-2014-0406.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2014:0408 https://rhn.redhat.com/errata/RHSA-2014-0408.html
This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0413 https://rhn.redhat.com/errata/RHSA-2014-0413.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2014:0412 https://rhn.redhat.com/errata/RHSA-2014-0412.html
OpenJDK upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/4df81f03dc2b
This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0675 https://rhn.redhat.com/errata/RHSA-2014-0675.html
This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:0685 https://rhn.redhat.com/errata/RHSA-2014-0685.html