It was discovered that the XPathParser class in the JAXP component in OpenJDK could throw an unexpected StackOverflowError exception when processing a specially crafted XPath expression. This could possibly cause a Java application to exit because of an unhandled exception if it processed untrusted XPath expressions.
Public now via Oracle CPU October 2019: https://www.oracle.com/security-alerts/cpuoct2019.html#AppendixJAVA Fixed in Oracle Java SE 13.0.1, 11.0.5, 8u231, and 7u241.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3128 https://access.redhat.com/errata/RHSA-2019:3128
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3127 https://access.redhat.com/errata/RHSA-2019:3127
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3134 https://access.redhat.com/errata/RHSA-2019:3134
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3135 https://access.redhat.com/errata/RHSA-2019:3135
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:3136 https://access.redhat.com/errata/RHSA-2019:3136
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:3158 https://access.redhat.com/errata/RHSA-2019:3158
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:3157 https://access.redhat.com/errata/RHSA-2019:3157
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/6522a4b3a61e OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/9094c855c4b4 OpenJDK-7 upstream commit: http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/rev/504615dcb92b
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-2973
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2019:4110 https://access.redhat.com/errata/RHSA-2019:4110
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2019:4109 https://access.redhat.com/errata/RHSA-2019:4109
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2019:4113 https://access.redhat.com/errata/RHSA-2019:4113
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2019:4115 https://access.redhat.com/errata/RHSA-2019:4115
This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2020:0006 https://access.redhat.com/errata/RHSA-2020:0006
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0046 https://access.redhat.com/errata/RHSA-2020:0046