It was discovered that the Kerberos implementation in the Kerberos component in OpenJDK did not properly handle proxy credentials. This could lead to the unintended use of wrong credentials and possible user impersonation.
Public now via Oracle CPU October 2019: https://www.oracle.com/security-alerts/cpuoct2019.html#AppendixJAVA Fixed in Oracle Java SE 13.0.1, 11.0.5, 8u231, and 7u241.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3128 https://access.redhat.com/errata/RHSA-2019:3128
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3127 https://access.redhat.com/errata/RHSA-2019:3127
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3134 https://access.redhat.com/errata/RHSA-2019:3134
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3135 https://access.redhat.com/errata/RHSA-2019:3135
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:3136 https://access.redhat.com/errata/RHSA-2019:3136
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/a2afeadeff2a http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/117a25266142 OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/96cab194659e http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/8f88a036006e
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-2949
rhel-6 java-1.8.0-ibm update. Java SDK8 last update: 8.0.6.10 – 05 May 2020 https://developer.ibm.com/javasdk/support/security-vulnerabilities/ Security Bulletin: https://www.ibm.com/support/pages/node/6206153
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2020:2237 https://access.redhat.com/errata/RHSA-2020:2237
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2020:2239 https://access.redhat.com/errata/RHSA-2020:2239
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2241 https://access.redhat.com/errata/RHSA-2020:2241