Oracle Java SE 6u201, 7u191, and 8u181 fixes an unspecified vulnerability in the Java DB component (CVE-2018-2938). Upstream has CVSS scored this issue as: 9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H External Reference: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixJAVA
This issue did not affect Oracle Java SE packages as shipped via Oracle Java for Red Hat Enterprise Linux channels, as they did not include the Java DB / Apache Derby component.
The issue was addressed upstream by removing Java DB from the Oracle Java SE distribution. Quoting from the upstream release notes: Removed Features and Options other-libs/javadb ➜ Removal of Java DB Java DB, also known as Apache Derby, has been removed in this release. We recommend that you obtain the latest Apache Derby directly from the Apache project at: https://db.apache.org/derby JDK-8197871 (not public) http://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_191 http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_201
The Oracle CPU was updated and now has this note for this CVE: CVE-2018-2938 addresses CVE-2018-1313 Apparently, this CVE is a duplicate of a Derby issue that has been made public previously - CVE-2018-1313 / bug 1575639.