The nested jar auto-extraction feature is vulnerable to "zip-slip" attacks, resulting in directory traversal. A specially crafted JAR file could use this flaw to write and overwrite arbitrary files. Combined with CVE-2019-10181, it can be used to rewriting the main Java application, which could possibly be used to escape the sandbox.
Acknowledgments: Name: Imre Rad
Created icedtea-web tracking bugs for this issue: Affects: fedora-all [bug 1734804]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2004 https://access.redhat.com/errata/RHSA-2019:2004
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2003 https://access.redhat.com/errata/RHSA-2019:2003
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10185
Mitigation: No known mitigation.
Upstream fixes : * 1.7 branch : CVE-2019-10182 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/f9c2cf7fd24415ba2bb2619b69259035338ee5b6 CVE-2019-10185 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/26305807b41a5b4e9813db42531acd754899207f CVE-2019-10181 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/32d174def953d801eb1cfc9d989bff5e80aac3cd * 1.8 branch : CVE-2019-10182 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/7958049eedc213be1ad4ae80ee312b167ddb320f CVE-2019-10185 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/686213a6d68c21879d92cea3699b279c8f2662fa CVE-2019-10181 : https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e