It was discovered that the RMI component of OpenJDK enabled HTTP transport for RMI servers by default. This could possibly expose RMI services to attackers who can not connect to them directly by attacking web browsers of users able to directly connect to the services. The fix for this issue disables the use of RMI HTTP transport by default. System properly java.rmi.server.disableIncomingHttp (with the default value of "true") can be used to enable HTTP transport.
Public now via Oracle CPU April 2018: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA The issue was fixed in Oracle 8u171, 7u181, and 6u191.
Relevant entry in the Oracle JDK release notes: core-libs/java.rmi Server-side HTTP-tunneled RMI Connections Disabled Server side HTTP-tunneled RMI connections have been disabled by default in this release. This behavior can be reverted by setting the runtime property sun.rmi.server.disableIncomingHttp property to false. Note, this should not be confused with the sun.rmi.server.disableHttp property, which disables HTTP-tunneling on the client side and is false by default. JDK-8193833 (not public) http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_181 http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_191
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1188 https://access.redhat.com/errata/RHSA-2018:1188
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1191 https://access.redhat.com/errata/RHSA-2018:1191
OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d70c21e5b413
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:1201 https://access.redhat.com/errata/RHSA-2018:1201
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:1202 https://access.redhat.com/errata/RHSA-2018:1202
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:1204 https://access.redhat.com/errata/RHSA-2018:1204
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:1203 https://access.redhat.com/errata/RHSA-2018:1203
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:1205 https://access.redhat.com/errata/RHSA-2018:1205
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:1206 https://access.redhat.com/errata/RHSA-2018:1206
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1270 https://access.redhat.com/errata/RHSA-2018:1270
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1278 https://access.redhat.com/errata/RHSA-2018:1278
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:1721 https://access.redhat.com/errata/RHSA-2018:1721
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:1722 https://access.redhat.com/errata/RHSA-2018:1722
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:1723 https://access.redhat.com/errata/RHSA-2018:1723
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:1724 https://access.redhat.com/errata/RHSA-2018:1724
This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2018:1974 https://access.redhat.com/errata/RHSA-2018:1974
This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2018:1975 https://access.redhat.com/errata/RHSA-2018:1975