Updating And Securing Java Under Oracle’s Latest Rules

Updating And Securing Java Under Oracle’s Latest Rules

Clients who rely on Rimini Street for support of Oracle enterprise software have been asking us how we can help support their Java applications after the end of January 2019. That is the date after which Oracle says it will stop providing updates to publicly available versions of Java SE 8 to users without a commercial subscription.1

“Organizations will now need to take stock of all their software running Java SE 8 and start to work out what potential bill they are looking at next year” is how The ITAM Review reported the change.

This comes at a time when Oracle also appears to be ratcheting up audits of Java users who may be employing commercial features without a contract.

We are tracking multiple solutions to these issues on behalf of our clients. Action items include the following:

  • Audit all of your uses of Java, making sure you know which applications require a commercial license from Oracle.
  • If you have inadvertently made use of commercial Java features, turn those features off now (if practical) and document the measures you’ve taken to address those potential compliance issues.
  • Consider alternative Java runtimes from vendors other than Oracle, based on the same OpenJDK code, which may be supported on more favorable terms.
  • If the security of your Java applications is critical, investigate technologies to prevent attackers from exploiting Java runtime vulnerabilities.
  • Know the Java version compatibility of enterprise applications such as ERP systems and your options for loading different versions of Java for different applications.

As Gartner points out in a research note, Oracle’s Focus on Java SE Compliance Can Cost Millions, enterprise users are frequently confused by the licensing terms Oracle attaches to the technology.  Java SE is the “standard edition” download of Java historically distributed free for use on “General Purpose Desktop Computers and Servers,” although Gartner’s clients report that the meaning of “General Purpose” is ambiguous.  Java SE Advanced and Java SE Advanced Desktop are commercial releases with additional features.

According to Gartner, Oracle provides some free updates for the free version of Java SE, such as security patches, but for only a limited time – now down to six months after a new release. After that, commercial users will likely need a commercial contract. New JDKs are being released every six months, with quarterly updates in between.  The more rapid pace of updates is marketed as doing a better job of plugging the security holes that have plagued Java in recent years.

The challenge for enterprises creating Java-based applications or deploying vendor supplied applications is that by the time the application goes into production, the specific Java SE version it was developed with may no longer be eligible for updates without a commercial license, and upgrading will require a new round of regression testing.

Another way enterprises that make extensive use of Java are being squeezed is with audits. Apparently, if Oracle finds that users of the free version are exceeding its license terms, those users can be required to pay for a commercial license. Even the “free” Java SE download seems to include features which, if activated by customers who fail to read the click-through license agreement carefully, can potentially trigger the requirement for a commercial license, according to Gartner.

If an enterprise is caught out of bounds, Oracle may also use that finding for leverage in other licensing and software maintenance contract negotiations.

Confusion over Java licensing is nothing new: even before Oracle took ownership of Java with its 2010 purchase of Sun Microsystems, the use of Java in embedded systems was governed by different licensing than its use for web development, and Sun’s “community process” for developing Java didn’t meet strict open source standards.

These days, there really is an open source OpenJDK project that defines the core Java Development Kit. The code and specification are published under a pretty standard open source license, but the open source project itself does not publish a binary distribution.

Oracle’s proprietary licensing claims apply to its distribution of the Java runtime environment (JRE) for Windows, MacOS, Solaris, and Linux. This is the “standard” version of Java.

In principle, you could compile your own JRE from the code on the OpenJDK website – and a few organizations like Twitter do just that – but some serious computer engineering mojo is required. A few other binary distributions of the OpenJDK are supported by their creators: one by Azul Systems is mentioned in Gartner’s report as a credible alternative.

Our advice is always to control your own technology roadmap, to the maximum extent possible, and not allow terms to be dictated to you by anyone. If you sign up for Oracle’s commercial support of Java, make sure you are getting your money’s worth.

Meanwhile, explore your options and consider Java alternatives. Rimini Street clients can tap the expertise of our Strategic Services Group for additional help with security, licensing, and more.

1. Any further updates will be available only to “Oracle customers with an active (1) Java SE Subscription and/or Java SE Desktop Subscription, (2) support contract for Oracle Java SE Advanced, Oracle Java SE Advanced Desktop, Oracle Java SE Suite, and/or Java SE Support, or (3) Java SE support entitlement for use of Java SE solely with another Oracle product.”  See https://www.oracle.com/technetwork/java/javase/eol-135779.html.

For more information on what Rimini Street Advanced Technical Services can offer, please contact Heather Young [email protected].