It was discovered that MethodHandleProxies implementation of the new reflection API in OpenJDK did not properly check privileges of the code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. Upstream commit, as included in IcedTea7 repositories: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/11c26eb70acb External Reference: http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2013:0275 https://rhn.redhat.com/errata/RHSA-2013-0275.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2013:0532 https://rhn.redhat.com/errata/RHSA-2013-0532.html
Fixed in upstream IcedTea versions IcedTea7 2.1.6, 2.2.6, and 2.3.7: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/022040.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:0626 https://rhn.redhat.com/errata/RHSA-2013-0626.html