A flaw was found in the Utility component of OpenJDK. The Multi-Release attribute could have been read from outside of the main attributes in a Jar manifest, possibly leading to a use of an unsigned value for this attribute. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
Public via Oracle CPU October 2018:
The issue was fixed in Oracle JDK 11.0.1.
OpenJDK-11 upstream commit:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:3521 https://access.redhat.com/errata/RHSA-2018:3521