Public now via Oracle CPU July 2016, fixed in Oracle JDK 8u101, 7u111, and 6u121.

External References:

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html#AppendixJAVA

There is an entry in the release notes related to this issue:

http://www.oracle.com/technetwork/java/javase/8u101-relnotes-3021761.html

  other-libs/corba
  Improve access control to javax.rmi.CORBA.ValueHandler

  The javax.rmi.CORBA.Util class provides methods that can be used by stubs
  and ties to perform common operations. It also acts as a factory for
  ValueHandlers. The javax.rmi.CORBA.ValueHandler interface provides services
  to support the reading and writing of value types to GIOP streams. The
  security awareness of these utilities has been enhanced with the
  introduction of a permission
  java.io.SerializablePermission("enableCustomValueHanlder").
  This is used to establish a trust relationship between the users of the
  javax.rmi.CORBA.Util and javax.rmi.CORBA.ValueHandler APIs.

  The required permission is "enableCustomValueHanlder"
  SerializablePermission. Third party code running with a SecurityManager
  installed, but not having the new permission while invoking
  Util.createValueHandler(), will fail with an AccessControlException.

  This permission check behaviour can be overridden, in JDK8u and previous
  releases, by defining a system property,
  "jdk.rmi.CORBA.allowCustomValueHandler".

  As such, external applications that explicitly call
  javax.rmi.CORBA.Util.createValueHandler require a configuration change
  to function when a SecurityManager is installed and neither of the
  following two requirements is met: 

  1. The java.io.SerializablePermission("enableCustomValueHanlder") is not
  granted by SecurityManager.

  2. In the case of applications running on JDK8u and before, the system
  property "jdk.rmi.CORBA.allowCustomValueHandler" is either not defined or
  is defined equal to "false" (case insensitive).

  Please note that the "enableCustomValueHanlder" typo will be corrected in
  the October 2016 releases. In those and future JDK releases,
  "enableCustomValueHandler" will be the correct SerializationPermission
  to use.

  JDK-8079718 (not public)

Note that OpenJDK packages in Red Hat Enterprise Linux will use correctly spelt name for the "enableCustomValueHandler" permission, but will also recognize mis-spelt "enableCustomValueHanlder" for compatibility with Oracle JDK.

OpenJDK 8 upstream commit:

http://hg.openjdk.java.net/jdk8u/jdk8u/corba/rev/4821afbaa2a6

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1458 https://access.redhat.com/errata/RHSA-2016:1458

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2016:1477 https://access.redhat.com/errata/RHSA-2016:1477

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 5
  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2016:1476 https://access.redhat.com/errata/RHSA-2016:1476

This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2016:1475 https://access.redhat.com/errata/RHSA-2016:1475

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1504 https://rhn.redhat.com/errata/RHSA-2016-1504.html

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1776 https://rhn.redhat.com/errata/RHSA-2016-1776.html