IBM JDK 8 SR5 FP30 (8.0.5.30) fixes a flaw described by upstream as: Eclipse OpenJ9 could allow a remote attacker to execute arbitrary code on the system, caused by the failure to omit a null check on the receiver object of an Unsafe call when accelerating it. An attacker could exploit this vulnerability to execute arbitrary code on the system. OpenJ9 upstream bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=544019 Related OpenJ9 upstream commit seems to be: https://github.com/eclipse/openj9/commit/531d3f96fe9cdcf6baad9f6d6837be8fbc805d8d References: https://www-01.ibm.com/support/docview.wss?uid=ibm10873332 https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_March_2019
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2019:0469 https://access.redhat.com/errata/RHSA-2019:0469
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2019:0472 https://access.redhat.com/errata/RHSA-2019:0472
Statement: This issue affects the versions of the java-1.8.0-ibm package as shipped with Red Hat Satellite 5. However, OpenJ9 is loaded only by taskomatic and Tomcat. These 2 processes are listening on the loopback interface only. This flaw is not known to be remotely exploitable under any supported scenario in Satellite 5.
This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2019:0640 https://access.redhat.com/errata/RHSA-2019:0640
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1238 https://access.redhat.com/errata/RHSA-2019:1238