A flaw was found in the way the XMLSchemaValidator class in the JAXP component of OpenJDK enforced the "use-grammar-pool-only" feature. A specially-crafted XML file could possibly use this flaw to manipulate with the validation process in certain cases.
Public now via Oracle CPU July 2020: https://www.oracle.com/security-alerts/cpujul2020.html#AppendixJAVA Fixed in Oracle Java SE 14.0.2, 11.0.8, 8u261, and 7u271.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2970 https://access.redhat.com/errata/RHSA-2020:2970
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2969 https://access.redhat.com/errata/RHSA-2020:2969
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2972 https://access.redhat.com/errata/RHSA-2020:2972
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2968 https://access.redhat.com/errata/RHSA-2020:2968
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:2985 https://access.redhat.com/errata/RHSA-2020:2985
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3098 https://access.redhat.com/errata/RHSA-2020:3098
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3100 https://access.redhat.com/errata/RHSA-2020:3100
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:3099 https://access.redhat.com/errata/RHSA-2020:3099
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:3101 https://access.redhat.com/errata/RHSA-2020:3101
OpenJDK-11 upstream commit: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/59f8565ee5e2 OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/63884b34cac1
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14621
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3386 https://access.redhat.com/errata/RHSA-2020:3386
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2020:3388 https://access.redhat.com/errata/RHSA-2020:3388
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2020:3387 https://access.redhat.com/errata/RHSA-2020:3387
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2020:5585 https://access.redhat.com/errata/RHSA-2020:5585