Executive summary, so that you don’t have a heart attack before we get into the gritty details.
CVE-2018-2633 - fixed in the January 2018 CPU - allows remote code execution under two conditions:
com.sun.security.enableAIAcaIssuers==true- which is hopefully as uncommon as a google search suggests, or
- CRL checking/downloads are enabled (mostly
com.sun.security.enableCRLDP==true, but also possibly other configurations) and the attacker can forge a otherwise valid/trusted certificate with an invalid CRL distribution point URL.
CVE-2017-10116 - fixed in the July 2017 CPU - possibly allowed code execution through Java deserialization for an attacker in a MITM position.
All of these apply to all regular X.509 certificate validation using Java’s built-in implementation, i.e. TLS client, TLS server (if client certificates are used), JAR verification… but only under aforementioned conditions.
January 20, 2018