It was discovered that the HTTP client implementation in the Networking component of OpenJDK enabled transparent NTLM authentication by default. This could lead to an information leak in communication with untrusted servers.
The fix introduces a new network property jdk.http.ntlm.transparentAuth, which can be used to control the use of the transparent NTLM authentication, and that can take values of disabled (default), allHosts, or trustedHosts.
This issue only affected version of OpenJDK for Microsoft Windows, versions for Linux were not affected.
Public now via Oracle CPU January 2019:
Fixed in Oracle Java 11.0.2, 8u201, and 7u211.
OpenJDK-8 upstream commit:
OpenJDK-11 upstream commit: