It was discovered that the Scripting component of OpenJDK did not properly restrict access to scripting engine via Global object's engine variable when using Security Manager or class filtering. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
Public now via Oracle CPU October 2018: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA The issue was fixed in Oracle JDK 11.0.1 and 8u191.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:2942 https://access.redhat.com/errata/RHSA-2018:2942
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:2943 https://access.redhat.com/errata/RHSA-2018:2943
OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/nashorn/rev/2152c4a01445 OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/ba5ec2308106
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2018:3002 https://access.redhat.com/errata/RHSA-2018:3002
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2018:3003 https://access.redhat.com/errata/RHSA-2018:3003
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3521 https://access.redhat.com/errata/RHSA-2018:3521
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2018:3533 https://access.redhat.com/errata/RHSA-2018:3533
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2018:3534 https://access.redhat.com/errata/RHSA-2018:3534
This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2018:3852 https://access.redhat.com/errata/RHSA-2018:3852