It was discovered that the URLClassLoader class in the Networking component of OpenJDK did not properly check access control context when downloading class files. An untrusted Java application or applet could use this flaw to make HTTP requests to locations that should not be accessible, bypassing certain Java sandbox restrictions.
Related entry in the Oracle JDK release notes: http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_131 http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_141 core-libs/java.net Additional access restrictions for URLClassLoader.newInstance Class loaders created by the java.net.URLClassLoader.newInstance methods can be used to load classes from a list of given URLs. If the calling code does not have access to one or more of the URLs and the URL artifacts that can be accessed do not contain the required class, then a ClassNotFoundException, or similar, will be thrown. Previously, a SecurityException would have been thrown when access to a URL was denied. If required to revert to the old behavior, this change can be disabled by setting the jdk.net.URLClassPath.disableRestrictedPermissions system property. JDK-8151934 (not public)
Public now via Oracle CPU January 2017: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixJAVA The issue was fixed in Oracle JDK 8u121, 7u131, and 6u141.
OpenJDK 8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/dfa1648415a4
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2017:0176 https://rhn.redhat.com/errata/RHSA-2017-0176.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2017:0175 https://rhn.redhat.com/errata/RHSA-2017-0175.html
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 5 Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2017:0177 https://rhn.redhat.com/errata/RHSA-2017-0177.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:0180 https://rhn.redhat.com/errata/RHSA-2017-0180.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2017:0263 https://rhn.redhat.com/errata/RHSA-2017-0263.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2017:0269 https://rhn.redhat.com/errata/RHSA-2017-0269.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Supplementary Via RHSA-2017:0337 https://rhn.redhat.com/errata/RHSA-2017-0337.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 7 Supplementary Via RHSA-2017:0336 https://rhn.redhat.com/errata/RHSA-2017-0336.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 5 Supplementary Via RHSA-2017:0338 https://rhn.redhat.com/errata/RHSA-2017-0338.html
This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216