It was discovered that the implementation of the Throwable class in the Utilities component of OpenJDK did not sufficiently validate serial stream before deserializing suppressed exceptions. A specially-crafted input could cause a Java application to construct inconsistent object and possibly use an excessive amount of system resources when deserialized.
Public now via Oracle CPU July 2019: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixJAVA Fixed in Oracle Java SE 12.0.2, 11.0.4, 8u221, and 7u231.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1817 https://access.redhat.com/errata/RHSA-2019:1817
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1810 https://access.redhat.com/errata/RHSA-2019:1810
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1811 https://access.redhat.com/errata/RHSA-2019:1811
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1815 https://access.redhat.com/errata/RHSA-2019:1815
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1816 https://access.redhat.com/errata/RHSA-2019:1816
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1840 https://access.redhat.com/errata/RHSA-2019:1840
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1839 https://access.redhat.com/errata/RHSA-2019:1839
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2019:2495 https://access.redhat.com/errata/RHSA-2019:2495
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2019:2494 https://access.redhat.com/errata/RHSA-2019:2494
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-2762
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2019:2585 https://access.redhat.com/errata/RHSA-2019:2585
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2590 https://access.redhat.com/errata/RHSA-2019:2590
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2019:2592 https://access.redhat.com/errata/RHSA-2019:2592
This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2019:2737 https://access.redhat.com/errata/RHSA-2019:2737
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/a88c525553e6 OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f7b22e107b51 OpenJDK-7 upstream commit: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/a15b0903de83