It was discovered that the TIFF plugin in the ImageIO component of OpenJDK did not restrict the amount of memory allocated when reading TIFF image files. A specially-crafted TIFF file could cause a Java application using ImageIO to allocate an excessive amount of memory disproportionate to the image size.
Public now via Oracle CPU July 2020: https://www.oracle.com/security-alerts/cpujul2020.html#AppendixJAVA Fixed in Oracle Java SE 14.0.2 and 11.0.8.
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/b76559430fce
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2970 https://access.redhat.com/errata/RHSA-2020:2970
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2969 https://access.redhat.com/errata/RHSA-2020:2969
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3098 https://access.redhat.com/errata/RHSA-2020:3098
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:3099 https://access.redhat.com/errata/RHSA-2020:3099
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14562