RedHat has issued an advisory today (January 21):
Our Cauldron package is synced with Fedora Rawhide (currently synced in SVN as of January 9), which has not yet been updated for these security issues.
This corresponds to the latest Oracle Critical Patch Update:
Steps to Reproduce:
Fixed in java-1.8.0-openjdk-18.104.22.168-5.b25.1.mga5.