It was found that the JAXP (Java API for XML Processing) component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory.
Public now via Oracle CPU April 20167, fixed in Oracle JDK 8u131, 7u141, and 6u151. External References: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA
OpenJDK8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/756b7a2f20cc
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:1109 https://access.redhat.com/errata/RHSA-2017:1109
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1108 https://access.redhat.com/errata/RHSA-2017:1108
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1118 https://access.redhat.com/errata/RHSA-2017:1118
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1117 https://access.redhat.com/errata/RHSA-2017:1117
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1119 https://access.redhat.com/errata/RHSA-2017:1119
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1204 https://access.redhat.com/errata/RHSA-2017:1204