A flaw was found in the way the JSSE component of OpenJDK handled certificate status / OCSP stapling message during TLS handshake. A remote attacker could possibly use this flaw to gain access to certain sensitive information by manipulating TLS handshake messages.
Public now via Oracle CPU July 2019: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixJAVA Fixed in Oracle Java SE 12.0.2 and 11.0.4.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1817 https://access.redhat.com/errata/RHSA-2019:1817
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1810 https://access.redhat.com/errata/RHSA-2019:1810
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/6a4d57474e1c