A flaw was discovered in the way the Libraries component of OpenJDK processed X.509 certificates. Values of Object Identifiers (OIDs) were "interned", possibly allowing a malicious X.509 certificate to trigger excessive memory usage in a Java application processing such certificate.
Public now via Oracle CPU January 2020: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixJAVA Fixed in Oracle Java SE 13.0.2, 11.0.6, 8u241, and 7u251.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0128 https://access.redhat.com/errata/RHSA-2020:0128
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0122 https://access.redhat.com/errata/RHSA-2020:0122
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0157 https://access.redhat.com/errata/RHSA-2020:0157
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0196 https://access.redhat.com/errata/RHSA-2020:0196
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0202 https://access.redhat.com/errata/RHSA-2020:0202
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0231 https://access.redhat.com/errata/RHSA-2020:0231
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0232 https://access.redhat.com/errata/RHSA-2020:0232
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0541 https://access.redhat.com/errata/RHSA-2020:0541
OpenJDK-7 upstream commit: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/60a6121b1b5f OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/80ade7e8b392 OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/837b7afec083
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0632 https://access.redhat.com/errata/RHSA-2020:0632
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-2654
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2020:2236 https://access.redhat.com/errata/RHSA-2020:2236
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2020:2237 https://access.redhat.com/errata/RHSA-2020:2237
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2020:2239 https://access.redhat.com/errata/RHSA-2020:2239
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2020:2238 https://access.redhat.com/errata/RHSA-2020:2238
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2241 https://access.redhat.com/errata/RHSA-2020:2241