A flaw was found in the Utility component of OpenJDK. The Multi-Release attribute could have been read from outside of the main attributes in a Jar manifest, possibly leading to a use of an unsigned value for this attribute. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
Public via Oracle CPU October 2018: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA The issue was fixed in Oracle JDK 11.0.1.
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/bb5b407dfe6d
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3521 https://access.redhat.com/errata/RHSA-2018:3521