It was discovered that the TLS implementation in the Security component of OpenJDK did not correctly handle CertificateVerify TLS handshake message received unexpectedly. A remote attacker attacker could use this flaw to affect confidentiality or integrity of a TLS connection.
Public now via Oracle CPU January 2020: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixJAVA Fixed in Oracle Java SE 13.0.2 and 11.0.6.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0128 https://access.redhat.com/errata/RHSA-2020:0128
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0122 https://access.redhat.com/errata/RHSA-2020:0122
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0232 https://access.redhat.com/errata/RHSA-2020:0232
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/ff2ef987e77a