A flaw was found in the TLS implementation in the JSSE component of OpenJDK. Setting algorithm constraints on SSLParameters using the setAlgorithmConstraints() method could override the systems security policy defined using the jdk.tls.disabledAlgorithms security property and lead to the use of weak algorithms that were intended to be disabled.
Public now via Oracle CPU April 2020: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixJAVA Fixed in Oracle Java SE 14.0.1 and 11.0.7.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1509 https://access.redhat.com/errata/RHSA-2020:1509
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1514 https://access.redhat.com/errata/RHSA-2020:1514
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-2778
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:1517 https://access.redhat.com/errata/RHSA-2020:1517
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/36975c9e57a3