It was discovered that JAX-WS could possibly create temporary files with insecure permissions. A local attacker could use this flaw to access temporary files created by an application using JAX-WS.
Public now via Oracle Java SE CPU April 2014: http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html Fixed in Oracle Java SE 7u21.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:0752 https://rhn.redhat.com/errata/RHSA-2013-0752.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:0751 https://rhn.redhat.com/errata/RHSA-2013-0751.html
OpenJDK7 upstream repositories commit: http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jaxws/rev/e07c518282ba
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0757 https://rhn.redhat.com/errata/RHSA-2013-0757.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0770 https://rhn.redhat.com/errata/RHSA-2013-0770.html
Fixed in IcedTea6 versions 1.11.11 and 1.12.5, and IcedTea7 version 2.3.9: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022890.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022985.html
IcedTea6 patch fixing this problem in JDK6: http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/7877650b6ba6/patches/openjdk/jaxws-tempfiles-ioutils-6.patch
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0822 https://rhn.redhat.com/errata/RHSA-2013-0822.html