A covert timing channel flaw was found in the ECDSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate ECDSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel.
Public now via Oracle CPU July 2017: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixJAVA The issue was fixed in Oracle JDK 8u141 and 7u151.
OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/996632997de8
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1791 https://access.redhat.com/errata/RHSA-2017:1791
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1790 https://access.redhat.com/errata/RHSA-2017:1790