There’s a Linux backdoor in the wild. It isn’t widespread but it’s conceptually simple and copycats are a real possibility. Do not be complacent because you run Linux.
See Fokirtor [Schneier on Security], Linux Covert Channel Explains Why NSM Matters [TAOsecurity], and Linux Back Door Uses Covert Communication Protocol [Symantic].
On the Java side – again do not be complacent just because you use Bouncy Castle instead of OpenSSL. I can think of at least three possible attacks off the top of my head. (Register my own https URL handler, use AOP injection around BC methods, or compromise the deployed BC jar itself.) None are trivial but all it takes is one person to write the code and a bored sysadmin looking the other way.