It was discovered that the FTP client implementation in the Networking component of OpenJDK failed to correctly handle user inputs (e.g. usernames and passwords) containing newline characters. A remote attacker could possibly use this flaw to manipulate an FTP connection opened by a Java application if it could make it access a specially crafted FTP URL. Blog posts were published that describe how to use this flaw to open ports on firewalls using active FTP connections: http://blog.blindspotsecurity.com/2017/02/advisory-javapython-ftp-injections.html and sending mails during XML parsing when use of XML external entities is allowed: https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/
Public now via Oracle CPU April 20167, fixed in Oracle JDK 8u131, 7u141, and 6u151. External References: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixJAVA
OpenJDK8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/81ddd5fc5a4e
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:1109 https://access.redhat.com/errata/RHSA-2017:1109
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1108 https://access.redhat.com/errata/RHSA-2017:1108
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1118 https://access.redhat.com/errata/RHSA-2017:1118
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1117 https://access.redhat.com/errata/RHSA-2017:1117
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:1119 https://access.redhat.com/errata/RHSA-2017:1119
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:1204 https://access.redhat.com/errata/RHSA-2017:1204
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2017:1222 https://access.redhat.com/errata/RHSA-2017:1222
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2017:1221 https://access.redhat.com/errata/RHSA-2017:1221
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2017:1220 https://access.redhat.com/errata/RHSA-2017:1220
This issue has been addressed in the following products: Red Hat Satellite 5.8 Red Hat Satellite 5.8 ELS Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453