Executive summary, so that you don’t have a heart attack before we get into the gritty details.
CVE-2018-2633 - fixed in the January 2018 CPU - allows remote code execution under two conditions:
com.sun.security.enableAIAcaIssuers==true
- which is hopefully as uncommon as a google search suggests, or
- CRL checking/downloads are enabled (mostly
com.sun.security.enableCRLDP==true
, but also possibly other configurations)
and the attacker can forge a otherwise valid/trusted certificate with an invalid CRL distribution point URL.
CVE-2017-10116 - fixed in the July 2017 CPU - possibly allowed code execution through Java
deserialization for an attacker in a MITM position.
All of these apply to all regular X.509 certificate validation using Java’s built-in implementation,
i.e. TLS client, TLS server (if client certificates are used), JAR verification… but only under
aforementioned conditions.