A covert timing channel flaw was found in the ECDSA implementation in the Libraries component of OpenJDK. A remote attacker able to make a Java application generate ECDSA signatures on demand could possibly use this flaw to extract certain information about the key use via a timing side channel.
This fix patches code in the ec/impl/ec.c source file. The OpenJDK packages in Red Hat Enterprise Linux do not use this EC cryptography implementation that is included in OpenJDK sources, but rather use code from the Mozilla NSS library, which includes EC implementation based on the same code originally from Sun Microsystems. Apparently, this flaw was corrected in NSS back in 2011, and fixes were first included in NSS version 3.13: https://bugzilla.mozilla.org/show_bug.cgi?id=660394 https://hg.mozilla.org/projects/nss/rev/079cfc4710c7 http://eprint.iacr.org/2011/232 Therefore, this fix is already included in the current versions of nss or nss-softokn packages included in Red Hat Enterprise Linux 5, 6, and 7.
Public now via Oracle CPU January 2017: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA The issue was fixed in Oracle JDK 8u121 and 7u131.
OpenJDK 8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/41594ac7ca27
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2017:0176 https://rhn.redhat.com/errata/RHSA-2017-0176.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2017:0175 https://rhn.redhat.com/errata/RHSA-2017-0175.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2017:0263 https://rhn.redhat.com/errata/RHSA-2017-0263.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Supplementary Via RHSA-2017:0337 https://rhn.redhat.com/errata/RHSA-2017-0337.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2017:0336 https://rhn.redhat.com/errata/RHSA-2017-0336.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 5 Supplementary Via RHSA-2017:0338 https://rhn.redhat.com/errata/RHSA-2017-0338.html
This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216