It was discovered that the JNDI comment of OpenJDK did not properly enforce the restriction controlled by the com.sun.jndi.ldap.object.trustURLCodebase system property. In certain cases, a Java LDAP client could unexpectedly load and execute code form an LDAP server.
The restriction on loading classes from remote URL and the com.sun.jndi.ldap.object.trustURLCodebase system property was introduced via this commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/255dcd4f19b6 as the fix for CVE-2009-1094.
Public now via Oracle CPU October 2018: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA The issue was fixed in Oracle JDK 11.0.1, 8u191, 7u201, and 6u211.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2942 https://access.redhat.com/errata/RHSA-2018:2942
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2943 https://access.redhat.com/errata/RHSA-2018:2943
OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/28d4d67065ab OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/e62c1f2ef2dd
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:3007 https://access.redhat.com/errata/RHSA-2018:3007
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:3008 https://access.redhat.com/errata/RHSA-2018:3008
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:3000 https://access.redhat.com/errata/RHSA-2018:3000
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:3001 https://access.redhat.com/errata/RHSA-2018:3001
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:3002 https://access.redhat.com/errata/RHSA-2018:3002
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:3003 https://access.redhat.com/errata/RHSA-2018:3003
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3350 https://access.redhat.com/errata/RHSA-2018:3350
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:3409 https://access.redhat.com/errata/RHSA-2018:3409
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3521 https://access.redhat.com/errata/RHSA-2018:3521
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:3533 https://access.redhat.com/errata/RHSA-2018:3533
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:3534 https://access.redhat.com/errata/RHSA-2018:3534
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:3671 https://access.redhat.com/errata/RHSA-2018:3671
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:3672 https://access.redhat.com/errata/RHSA-2018:3672
This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2018:3779 https://access.redhat.com/errata/RHSA-2018:3779
This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2018:3852 https://access.redhat.com/errata/RHSA-2018:3852